Michatec/Radio
1
1
Fork 0
mirror of https://github.com/Michatec/Radio.git synced 2026-05-30 23:52:40 +02:00
Code Issues Packages Projects Releases Activity

docs: add SECURITY.md

Browse Source
This commit is contained in:
Michatec
2026-04-19 00:11:17 +02:00
parent b3de68050c
commit b60b8cdb7c
1 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECURITY.md
+59
View File
@@ -0,0 +1,59 @@
# Security Policy
## Reporting a Vulnerability
We take the security of Radio seriously. If you believe you have found a security vulnerability, please report it via **GitHub Issues** before disclosing it publicly.
**Create a new security issue**: [GitHub Issues — Security](https://github.com/michatec/Radio/issues/new?labels=security). We will respond within 48 hours acknowledging your report and work with you to understand and address the issue.
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Affected versions (if known)
- Potential impact
- Any suggested fixes (optional)
We appreciate responsible disclosure and will credit researchers who report valid security issues (unless you prefer to remain anonymous).
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 14.5 | :white_check_mark: |
| < 14.5 | :x: |
Only the latest stable release receives security updates. Users on older versions are encouraged to update.
## Security Considerations
### Network Security
Radio streams audio over the internet and connects to the [radio-browser.info](https://www.radio-browser.info/) API for station search. The app allows cleartext HTTP traffic for radio stream compatibility (required for many legacy radio stations).
### Data Collection
- **Station data** (names, images, stream URLs) is fetched from radio-browser.info's public API
- **Station lists** are stored locally on the device only
- **No personal data** is collected or transmitted to michatec servers
- **Usage data** is not collected
### Permissions
Radio requests only the permissions necessary for core functionality:
- `INTERNET` — stream radio and fetch station metadata
- `ACCESS_NETWORK_STATE` — detect connectivity changes
- `FOREGROUND_SERVICE_MEDIA_PLAYBACK` — maintain playback when app is backgrounded
- `WAKE_LOCK` — prevent device from sleeping during playback
### Third-Party Dependencies
Radio uses several third-party libraries. Security issues in dependencies are monitored via Renovate bot for updates. Key dependencies include:
- AndroidX Media3 / ExoPlayer (media playback)
- Google Cast SDK (Chromecast support)
- Volley (HTTP requests)
### File Handling
The app can import M3U/PLS playlist files from external sources. Files are processed locally and stream URLs are validated before playback. Station images are downloaded from radio-browser.info and cached locally.
## Security Update Process
Security patches are delivered via normal app update channels (GitHub Releases, automated update notifications). Critical vulnerabilities may trigger an out-of-band security update.
## Contacts
- General issues: [GitHub Issues](https://github.com/michatec/Radio/issues)
- Project maintainer: [@michatec](https://github.com/michatec)