"Sets wallpapers until it... doesn't (securely)"
We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take security seriously. If you discover a security vulnerability in NeoWall, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please:
- Email: Send details to the maintainer (check GitHub profile for contact)
- GitHub Security Advisory: Use the private vulnerability reporting feature
Please provide:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions
- Potential impact
- Any suggested fixes (if you have them)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release cycle
NeoWall is designed with security in mind:
- No Root Privileges: Runs as a normal user
- No Network Access: Purely local, no external connections
- Limited Attack Surface: Minimal dependencies
- Input Validation: All user inputs are validated
- Safe File Operations: Proper bounds checking on file I/O
- Memory Safety: Careful memory management with proper cleanup
What NeoWall does NOT protect against:
- Malicious Images: We load PNG/JPEG files - ensure your image sources are trusted
- Config Injection: Don't allow untrusted users to modify your config file
- Symlink Attacks: Be cautious with symbolic links in wallpaper directories
- File Permissions: Ensure your wallpaper files have appropriate permissions
When using NeoWall:
- ✅ Keep NeoWall updated to the latest version
- ✅ Use wallpapers from trusted sources
- ✅ Set appropriate file permissions on config files (
chmod 600 ~/.config/neowall/config.vibe) - ✅ Verify image files before using them as wallpapers
- ✅ Don't run NeoWall with elevated privileges (unnecessary and dangerous)
- ✅ Review config changes if using auto-reload (
--watch)
None reported yet. We'll maintain a list here if any are discovered.
We appreciate responsible disclosure and will credit security researchers who report vulnerabilities (unless they prefer to remain anonymous).
Remember: Even wallpaper daemons deserve secure code. If you find something, let us know!