We recommend always running the latest release.

Please do not report security vulnerabilities through public GitHub issues. A public issue exposes the vulnerability to everyone before it can be fixed.

Use one of these private channels instead:

• GitHub private vulnerability reporting (preferred) — click "Report a vulnerability" on the Security tab
• Email — send details to ahatem925@gmail.com with the subject line [QTranslate Security]

• A description of the vulnerability and its potential impact
• The component or feature affected (plugin system, hotkey handler, update checker, marketplace download, etc.)
• Steps to reproduce or a proof-of-concept (if safe to share)
• The QTranslate version, operating system, and Java version you tested against
• Any mitigations or workarounds you are aware of

We follow responsible disclosure — please give us reasonable time to fix the issue before making it public.

• Arbitrary code execution via the plugin system (e.g. unsigned plugin loading without user confirmation)
• Credential or API key leakage (e.g. keys logged in plain text or transmitted to unexpected hosts)
• Privilege escalation or sandbox escapes
• Unsafe deserialization in config loading or plugin manifests
• Remote code execution via the update checker or marketplace plugin download path
• Issues that could allow a malicious plugin to silently replace or tamper with other plugins

• Vulnerabilities in third-party plugins not maintained in this repository
• Issues that require physical access to the machine
• Social engineering (convincing a user to install a malicious plugin)
• Vulnerabilities in third-party translation APIs (report those to the relevant service provider)
• Theoretical vulnerabilities with no practical exploitation path

QTranslate plugins run inside the JVM with full access to the local filesystem and network. Only install plugins from sources you trust. The plugin verification system (JAR hash checking on install) protects against silent plugin replacement after installation, but it is not a substitute for trusting the source in the first place.

Reporters who responsibly disclose valid security issues will be credited in the release notes and CHANGELOG (unless they prefer to remain anonymous).