We release security updates for the following versions of MIDIMon:
| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| 0.1.x | ✅ |
| < 0.1.0 | ❌ |
We take the security of MIDIMon seriously. If you discover a security vulnerability, please follow these steps:
Please do not open a public GitHub issue or discussion about the vulnerability. This helps protect users while we work on a fix.
Send details of the vulnerability to: security@amiable.dev
Include in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if you have one)
- Your name/handle for acknowledgment (optional)
- Initial Response: Within 48 hours
- Status Update: Within 7 days with assessment and estimated fix timeline
- Fix Released: Critical issues within 14 days, others within 30 days
- Public Disclosure: After fix is released and users have had time to update (typically 7-14 days)
- We'll confirm the vulnerability and assess its severity
- We'll develop a fix in a private repository
- We'll release a patch version with the fix
- We'll publish a security advisory with details and mitigation steps
- We'll credit the reporter (if desired) in our security hall of fame
MIDIMon requires HID device access to control LED feedback on MIDI controllers. On macOS, this requires:
- Input Monitoring permissions granted in System Settings
- User consent for device access
Mitigation: Users should only grant permissions to official releases from trusted sources.
MIDIMon can execute shell commands as part of action mappings (e.g., launching applications, volume control). This is a powerful feature but requires careful configuration.
Best Practices:
- Review configuration files before loading them from untrusted sources
- Use absolute paths for shell commands
- Avoid running MIDIMon with elevated privileges unless necessary
- Validate all user-provided configuration inputs
MIDIMon loads TOML configuration files that define action mappings.
Best Practices:
- Only load configuration files from trusted sources
- Review configurations before applying them
- Keep backups of working configurations
- Use version control for configuration files
MIDIMon can load .ncmm3 profile files from Native Instruments Controller Editor.
Best Practices:
- Only load profiles from official Native Instruments sources or trusted creators
- XML parsing is done with a memory-safe Rust library (quick-xml)
We acknowledge and thank the following security researchers for responsibly disclosing vulnerabilities:
(No reports yet - be the first!)
- We believe in coordinated disclosure to protect users
- Security patches are released before public disclosure
- We'll work with reporters to agree on disclosure timeline
- We'll credit reporters in release notes and this document (with permission)
For encrypted vulnerability reports, use our PGP key:
(PGP key to be added if needed)
Last Updated: 2025-11-11