BearWave is currently in a public beta phase. Security reports are very welcome and should be handled carefully, especially since BearWave processes external internet radio streams and metadata.
We only guarantee the security and integrity of our official distribution channels:
- Our official Flatpak repository (
https://flatpak.bearwave.app/), which is GPG-signed by the author. - Our official AUR package (
bearwave-git), where the source code is cloned directly from our official GitHub repository and built locally on your machine.
We do not verify, support, or guarantee the security of any other third-party binary repositories (such as unofficial repositories on the openSUSE Build Service, private arch repositories, or other third-party package mirrors). Installing from unofficial sources carries security risks, as the binaries are not compiled or controlled by the original author.
During the beta phase, security fixes target the latest code on main and the most recent published release when practical.
Older releases are not guaranteed to receive backported fixes. Users should update to the latest available release after a security fix is published.
Please do not open a public issue for a vulnerability before it has been reviewed.
Preferred reporting path:
- Use GitHub's private vulnerability reporting / security advisory feature for this repository, if available.
- If private reporting is not available, contact the maintainer through GitHub and request a private disclosure channel.
Include as much detail as possible:
- Affected BearWave version or commit SHA
- Operating system and desktop environment
- Steps to reproduce the issue
- Potential impact of the vulnerability