Security Policy
Last updated: September 13, 2025 (v0.3.2 Security Hardening Complete)
Our Commitment to Security
Security is a top priority for Mirenku. We take the protection of your data seriously and actively work to ensure Mirenku remains secure.
Reporting Security Vulnerabilities
🔒 Security Contact
Email: projects@aeturnis.dev
Subject Line: [SECURITY] Mirenku Vulnerability Report
Email: projects@aeturnis.dev
Subject Line: [SECURITY] Mirenku Vulnerability Report
Please DO NOT report security vulnerabilities through public GitHub issues, Discord, or other public channels.
What to Include in Your Report
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any proof-of-concept code (if applicable)
- Your suggested fix (if you have one)
Response Timeline
- Initial Response: Within 48 hours
- Status Update: Within 1 week
- Resolution Target: Based on severity (see below)
Severity Levels
| Severity | Description | Resolution Target |
|---|---|---|
| Critical | Remote code execution, authentication bypass, data breach | 24-48 hours |
| High | Privilege escalation, significant data exposure | 1 week |
| Medium | Limited data exposure, denial of service | 2-4 weeks |
| Low | Minor issues with limited impact | Next release |
Security Features in Mirenku
Authentication & Authorization
- OAuth2 with enhanced PKCE (128-character verifier, 768 bits entropy)
- No password storage - only secure tokens
- Three-tier encrypted token storage (OS keyring → Fernet → No insecure fallback)
- Proactive token refresh with 5-minute buffer before expiry
- OAuth state parameters with 5-minute timestamp expiration
- Rate limiting: 3 auth attempts/min, 5 refresh attempts/min with lockout
Data Protection
- All data stored locally - no cloud storage
- SQLite database with proper parameterized queries
- No telemetry or user tracking
- Secure protocol handler registration with backup and conflict detection
- Automatic 30-day encryption key rotation
- Comprehensive error sanitization (token redaction, PII masking)
- Security audit logging with privacy-safe exports
Network Security
- HTTPS only for all external communications
- Direct API calls to MyAnimeList (no proxy)
- Certificate validation for all connections
Scope
This security policy applies to:
- The Mirenku desktop application
- The mirenku.app website
- The mirenku.org documentation site
- Official Mirenku releases on GitHub
Out of Scope
The following are generally out of scope:
- Vulnerabilities in third-party services (MyAnimeList, Discord)
- Issues in dependencies that are already publicly known
- Social engineering attacks
- Physical attacks on user devices
Recognition
We appreciate security researchers who help us keep Mirenku secure. With your permission, we'll acknowledge your contribution in our release notes and security hall of fame.
Legal Safe Harbor
We will not pursue legal action against security researchers who:
- Follow responsible disclosure practices
- Give us reasonable time to address issues
- Don't exploit vulnerabilities beyond proof of concept
- Don't violate user privacy or destroy data
Known Security Considerations
- Mirenku is a desktop application with full system access
- OAuth tokens are stored locally (encrypted but accessible to the user)
- The application trusts data from MyAnimeList API
- Custom protocol handler registration modifies system settings
Updates and Patches
Security updates are released as soon as possible after verification and fix development. We recommend all users stay on the latest version of Mirenku.
v0.3.2 Security Hardening (100% Complete)
The latest release includes comprehensive security enhancements:
Completed Security Enhancements
- ✅ Token Refresh Buffer: Proactive 5-minute refresh prevents authentication failures
- ✅ OAuth State Timestamps: 5-minute expiration prevents replay attacks
- ✅ Rate Limiting: Comprehensive throttling with exponential backoff and lockout
- ✅ Error Sanitization: Complete redaction of tokens, secrets, and PII in logs
- ✅ Enhanced PKCE: Maximum 128-character verifier (768 bits entropy)
- ✅ Security Audit Logging: Full event tracking with privacy protection
- ✅ Key Rotation: Automatic 30-day rotation with emergency procedures
- ✅ No Insecure Fallback: Eliminated automatic base64 token storage
Security Testing
- 105+ Security Tests: Comprehensive test coverage for all security features
- TDD Approach: Test-driven development for security implementations
- Thread Safety: Verified concurrent access protection
- Emergency Procedures: Tested rollback and recovery mechanisms
Security Architecture Deep Dive
For those interested in the technical details of Mirenku's security implementation:
Token Storage Architecture (Enhanced v0.3.2)
Mirenku uses a hardened multi-layer approach to protect MAL authentication tokens:
- OS Keyring Integration: Primary storage uses the operating system's secure credential storage (Windows Credential Manager, macOS Keychain, Linux Secret Service)
- Fernet Encryption: Tokens are encrypted using Fernet (symmetric encryption) before storage
- Automatic Key Rotation: Encryption keys rotate every 30 days with seamless re-encryption
- No Insecure Fallback: Removed automatic base64 fallback - requires explicit user consent
- Split Storage: Large tokens split to handle Windows Credential Manager size limits
- No Plaintext Storage: Tokens never touch disk in plaintext form
OAuth2 PKCE Implementation (Enhanced v0.3.2)
Our OAuth2 implementation exceeds RFC 7636 requirements with maximum security:
- Code Verifier: 128-character maximum length (96 bytes entropy, 768 bits)
- Code Challenge: SHA256 hash of the verifier, base64url encoded
- State Parameter: Timestamped with 5-minute expiration, one-time use
- No Client Secret: PKCE eliminates the need for embedded client secrets
- 3x Stronger: Our implementation provides 3x more entropy than minimum spec
Protocol Handler Security
The custom mirenku:// protocol handler includes protections:
- Origin Validation: Only accepts callbacks from myanimelist.net
- Single-Use Codes: Authorization codes are immediately exchanged and cannot be reused
- Timeout Protection: Pending auth requests expire after 10 minutes
- Registration Check: Verifies protocol handler ownership on startup
Database Security
Local SQLite database protections:
- Parameterized Queries: All queries use parameter binding to prevent SQL injection
- Transaction Integrity: ACID compliance for data consistency
- File Permissions: Database file restricted to user access only
- Future: Database encryption at rest planned for v0.4.0
Network Communication
All external communications follow strict security guidelines:
- TLS 1.2+ Only: Refuses connections using older TLS versions
- Certificate Validation: Full certificate chain validation for all HTTPS connections
- No HTTP Fallback: Will fail rather than downgrade to insecure connection
- API Rate Limiting: Respects MAL rate limits to prevent abuse
Application Security
The desktop application includes these security measures:
- Input Validation: All user input sanitized before processing
- No Eval/Exec: No dynamic code execution from user input
- Dependency Scanning: Regular security audits of dependencies
- Signed Releases: Future releases will include code signing
Security Monitoring & Audit Logging (New in v0.3.2)
Comprehensive security event tracking with privacy protection:
- Event Tracking: Authentication attempts, token refreshes, rate limit triggers
- Privacy-Safe Logs: Automatic PII redaction (emails hashed, IPs masked)
- Local Storage: All audit logs stored locally - you own your security data
- Log Rotation: Automatic size and time-based rotation with retention policies
- Export Formats: JSON and CSV exports with privacy filtering
- Optional Encryption: Audit logs can be encrypted at rest
Rate Limiting & Abuse Prevention (New in v0.3.2)
Protection against authentication abuse and token exhaustion:
- Auth Attempts: Maximum 3 authorization attempts per minute
- Token Refresh: Maximum 5 refresh attempts per minute
- Lockout Mechanism: 5-minute lockout after 5 failed attempts
- Exponential Backoff: Progressive delays (1s, 2s, 4s, 8s...)
- Thread-Safe: Concurrent request protection with locks
- Local Tracking: All rate limiting done locally - no external dependencies
Privacy by Design
Privacy is built into Mirenku's architecture:
- No Telemetry: Zero tracking, analytics, or crash reporting
- Local First: Full functionality without internet connection
- Minimal Permissions: Only requests necessary system permissions
- Data Portability: Easy export of all data in standard formats
Threat Model (Updated v0.3.2)
Mirenku is designed to protect against:
- Token Theft: Three-tier encryption with automatic key rotation
- Man-in-the-Middle: TLS 1.2+ and certificate validation prevent interception
- CSRF Attacks: Timestamped state parameters with 5-minute expiration
- Replay Attacks: One-time use states and timestamp validation
- Authorization Code Interception: Enhanced PKCE with 768-bit entropy
- Brute Force: Rate limiting with exponential backoff and lockout
- Token Exhaustion: Refresh throttling and concurrent protection
- Data Leakage: Error sanitization and privacy-safe audit logs
- Key Compromise: 30-day rotation with emergency procedures
Mirenku does NOT protect against:
- Compromised System: If your OS is compromised, Mirenku cannot protect your data
- Physical Access: Anyone with physical access to your unlocked device
- MAL Account Compromise: Security of your MAL account itself
- Memory Scraping: Advanced attacks reading process memory
Questions?
For non-security questions:
- Discord: Join our server
- GitHub Discussions: Ask here