If you find a security issue in Munchkin, please do not open a public issue with sensitive details.
Instead:
- contact the maintainer privately through GitHub
- include reproduction details
- include affected version, OS, and provider
Munchkin handles encrypted local storage of provider auth snapshots.
Relevant security areas include:
- vault encryption
- master password handling
- provider snapshot persistence
- accidental plaintext leakage
- unsafe rollback or restore behavior
- OAuth session validity is ultimately controlled by the upstream provider
- shared accounts and rotated refresh tokens are expected operational risks, not necessarily security bugs