Security Policy
Supported Versions
| Version |
Supported |
| 1.0.x |
:white_check_mark: |
Reporting a Vulnerability
If you discover a security vulnerability:
- Do NOT open a public issue
- Email: [email protected]
- Include: description, steps to reproduce, and impact
- We will respond within 48 hours
Security Design
- No telemetry — The app never phones home
- No cloud dependency — Works fully offline; Dropbox upload is optional
- No account required — No sign-up, no login
- Token stored locally — Dropbox access token in macOS UserDefaults (app-sandboxed). Future improvement: migrate to Keychain.
- Audio only — ScreenCaptureKit captures audio only; video frames are discarded
- Open source — Full source code is auditable
- Auto-cleanup — Local recordings auto-delete after configurable days
Permissions
| Permission |
Purpose |
Scope |
| Microphone |
Record your voice |
Audio input only |
| Screen & Audio Recording |
Capture system audio |
Audio output stream only |
| Notifications |
Meeting detection alerts |
Local notifications only |
| Network |
Dropbox upload |
api.dropboxapi.com, content.dropboxapi.com only |
UpM3t does NOT access: screen contents, camera, contacts, files outside its recordings folder, or any network beyond Dropbox API.