Please do not open a public issue for security problems.
Report privately through GitHub's Report a vulnerability form (the repository's Security → Advisories tab). We aim to acknowledge a valid report within a few days and will coordinate a fix and disclosure with you.
When reporting, please include reproduction steps and the affected version. Never paste an API key, token, or any other secret into a report.
Voxis is an open-source BYOK (bring-your-own-key) desktop app:
- Your Google Gemini API key is stored encrypted at rest with Windows DPAPI
(
CryptProtectData,CURRENT_USERscope) plus a per-install entropy secret, underprofiles/byok/. It is never written to a plaintext.envand never leaves your machine except to open the Gemini Live WebSocket your key authorizes. - The open-source build makes no outbound calls of its own — no telemetry, no authentication, no usage reporting. The only network it touches is that Gemini Live session.
- The public repository is kept free of secrets and closed-core code by a
release-hygiene gate (
scripts/check_release_hygiene.py), enforced in CI and a local pre-push hook.
The latest version on the main branch receives security fixes.