Please do not open a public issue, PR, or discussion for a security bug. That discloses it to everyone before there's a fix.
Report it privately instead:
- GitHub Security Advisory (preferred): the repository's Security tab → Advisories → Report a vulnerability. This opens a private channel with the maintainers.
- Or email the maintainer at the address in the git history for
Cargo.toml.
Please include a proof-of-concept or a concrete impact argument. We aim to acknowledge within 72 hours and to ship a fix for confirmed high-impact issues promptly. Reporters are credited in the hall of fame after a fix ships (or anonymously, if you prefer).
- Silent bypass of change detection (a watched file altered without an alert).
- Forgery of the signed baseline / defeat of the keystore-anchored integrity.
- Code execution triggered by Heimdall itself, or trojanisation of Heimdall.
- XSS or IPC-permission escalation in the desktop app (test a
releasebuild).
- Attackers who already have code execution or admin as your user (the tool is tamper-evident, not tamper-proof, against that adversary — see the README).
- Physical-access attacks and a compromised OS / credential store.
- Denial of service via crashing the app.
- Automated scanner output without a proof-of-concept.
Designed to detect: unauthorised changes to your MCP configuration and the source files of the servers your AI agents launch.
Not designed to prevent: an adversary who already controls your user session or machine. Heimdall raises the bar for tampering and makes it evident; it is a detective control, not a sandbox. Pair it with real isolation for untrusted work.
Last updated: 10 July 2026.