We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take the security of Local LLM UI seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Do not open a public GitHub issue for security vulnerabilities
- Do not disclose the vulnerability publicly until it has been addressed
Email: Please report security vulnerabilities by emailing the maintainers directly. Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Updates: We will send you regular updates about our progress
- Timeline: We aim to address critical vulnerabilities within 7 days
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
- Keep Updated: Always use the latest version of Local LLM UI
- Local Only: This application is designed for local use only
- Network Security: Do not expose Ollama or LM Studio ports to the internet
- Review Code: Review the source code before running if you have concerns
- Dependencies: Keep Node.js and npm updated
- Dependencies: Regularly update dependencies to patch known vulnerabilities
- Code Review: All code changes should be reviewed before merging
- Input Validation: Validate and sanitize all user inputs
- Secrets: Never commit API keys, tokens, or credentials
- HTTPS: Use HTTPS for any external connections (currently none)
- Privacy: All data stays on your local machine
- No Cloud: No data is sent to external servers
- Local AI: Connects only to local AI providers (Ollama, LM Studio)
- Ollama: Connects to
localhost:11434 - LM Studio: Connects to
localhost:1234 - No External APIs: No connections to external services
- Browser Storage: Chat history stored in browser's local storage
- No Server: No backend server storing user data
- Temporary: Data can be cleared by clearing browser data
- ✅ Local-only operation
- ✅ No external API calls
- ✅ No user authentication required (local app)
- ✅ No data transmission to external servers
- ✅ Open source code for transparency
- 🔄 Content Security Policy (CSP) headers
- 🔄 Subresource Integrity (SRI) for CDN resources
- 🔄 Regular security audits
- 🔄 Automated dependency vulnerability scanning
- We will respond to security reports within 48 hours
- We will work with you to understand and address the issue
- We will keep you informed of our progress
- We will credit you in the security advisory (if desired)
- Day 0: Vulnerability reported
- Day 1-2: Acknowledgment sent
- Day 3-7: Investigation and fix development
- Day 7-14: Testing and verification
- Day 14+: Public disclosure and release
- We will coordinate disclosure timing with the reporter
- We will publish a security advisory on GitHub
- We will release a patched version
- We will update the CHANGELOG
Security updates will be released as:
- Patch versions (1.0.x) for minor security fixes
- Minor versions (1.x.0) for moderate security issues
- Major versions (x.0.0) for critical security changes
We regularly monitor and update dependencies for security vulnerabilities:
- npm audit: Run regularly to check for known vulnerabilities
- Dependabot: Automated dependency updates (if enabled)
- Manual review: Critical dependencies reviewed manually
- Security vulnerabilities in the application code
- Dependency vulnerabilities
- Configuration issues leading to security problems
- XSS, CSRF, or injection vulnerabilities
- Authentication/authorization bypasses (if applicable)
- Issues in Ollama or LM Studio (report to their respective projects)
- Browser vulnerabilities
- Operating system vulnerabilities
- Social engineering attacks
- Physical access attacks
For security concerns, please contact the project maintainers:
- GitHub: Open a security advisory (preferred)
- Email: [Contact information to be added]
We thank the security researchers and contributors who help keep Local LLM UI secure.
Last Updated: January 31, 2025