NeuroPro takes security seriously. This document outlines our security practices, how to report vulnerabilities, and our commitment to protecting user privacy.

• 100% On-Device Processing: All AI computations run locally on the user's device
• Zero Cloud Dependency: No data is ever transmitted to external servers
• No Telemetry: No analytics, tracking, or usage data collection without explicit user consent
• No Third-Party SDKs: No advertising, analytics, or tracking frameworks

• No Data Persistence: Camera frames are processed in real-time and immediately discarded
• No Image Storage: No photos or videos are saved without explicit user action
• Secure Memory: Metal buffers are properly deallocated after processing
• No Logs: No sensitive information is logged to console or files

• Type Safety: 100% Swift type-safe code, no force unwraps in production
• Memory Safety: Automatic Reference Counting (ARC) prevents memory leaks
• Input Validation: All user inputs and camera frames are validated
• Secure APIs: Only Apple-provided security-audited frameworks

We release security updates for the following versions:

• Permission-Based: Requires explicit user permission (iOS standard)
• Indicator Display: iOS automatically shows camera usage indicator
• Revocable Access: Users can revoke permission in iOS Settings at any time

• Sandboxed Execution: Metal shaders run in isolated GPU context
• Validated Pipelines: All compute pipelines are validated at compile time
• Memory Isolation: GPU memory is isolated from system memory

• No Network Access: App does not request network permissions
• Offline-First: Fully functional without internet connection
• No External Requests: No HTTP/HTTPS requests to any servers

• iOS allows users to take screenshots of any app
• Detection results visible in screenshots could contain sensitive information
• Mitigation: Users should be aware screenshots may capture detected objects

• VoiceOver and other accessibility services can read detected object labels
• Mitigation: This is intentional for accessibility, users control these settings

• When attached to Xcode debugger, internal state is visible
• Mitigation: Only occurs during development, not in production builds

We take all security reports seriously. If you discover a security vulnerability:

DO NOT open a public GitHub issue for security vulnerabilities.

Email: security@neuropro.app (preferred) GitHub: Use GitHub Security Advisories (private disclosure)

1. Description: Clear description of the vulnerability
2. Impact: Potential security impact and affected users
3. Reproduction: Step-by-step instructions to reproduce
4. Environment: iOS version, device model, app version
5. Proof of Concept: Code or video demonstrating the issue (if applicable)

• 24 hours: Initial acknowledgment of report
• 72 hours: Preliminary assessment and severity rating
• 7 days: Detailed response with fix timeline or mitigation plan
• 30 days: Security patch released (for confirmed vulnerabilities)

Critical (CVSS 9.0-10.0)

• Remote code execution
• Data exfiltration
• Complete device compromise

High (CVSS 7.0-8.9)

• Privilege escalation
• Unauthorized access to camera
• Sensitive information disclosure

Medium (CVSS 4.0-6.9)

• Denial of service
• Information leakage
• App crash with data loss

Low (CVSS 0.1-3.9)

• Minor information disclosure
• UI spoofing
• Performance degradation

1. Keep iOS Updated: Always use the latest iOS version
2. App Updates: Enable automatic app updates
3. Review Permissions: Periodically review app permissions in Settings
4. Passcode/Face ID: Use device authentication to prevent unauthorized access

• ❌ Request internet/network access
• ❌ Store photos without your action
• ❌ Send data to servers
• ❌ Track your location
• ❌ Share data with third parties
• ❌ Display advertisements
• ❌ Collect analytics

• ✅ Process camera frames in real-time
• ✅ Use Metal GPU for performance
• ✅ Run AI models on Neural Engine
• ✅ Discard frames after processing
• ✅ Respect your privacy

• Date: January 2025
• Scope: Full codebase review
• Findings: No critical or high severity issues
• Tools Used: Xcode Static Analyzer, SwiftLint, Manual Review

• All pull requests undergo security review
• Automated static analysis on every commit
• Manual code review for sensitive changes
• Regular dependency updates

• GDPR Compliant: No personal data collection
• CCPA Compliant: No data sale or sharing
• COPPA Compliant: Safe for all ages (no data collection)

• ✅ App Store Review Guidelines 2.5.13 (Privacy)
• ✅ Human Interface Guidelines (Permissions)
• ✅ App Privacy Details (No data collection)

• Metal (GPU framework)
• MetalPerformanceShaders (Neural networks)
• Vision (Object detection)
• Core ML (Machine learning)
• AVFoundation (Camera access)
• SwiftUI (User interface)

All frameworks are:

• Provided by Apple
• Regularly security-audited
• Updated via iOS system updates
• No third-party dependencies

• None: Zero third-party libraries or SDKs

Before every release:

• Static analysis passes (Xcode Analyzer)
• No compiler warnings
• No force unwraps in production code
• All network code removed (verify with network link map)
• Camera permission strings up to date
• Privacy manifest accurate
• Memory leaks checked (Instruments)
• Code signing verified
• Entitlements minimized

We support responsible disclosure and will:

1. Acknowledge your contribution in release notes (with permission)
2. Credit security researchers (unless requested otherwise)
3. Coordinate disclosure timeline with reporter
4. Not Pursue Legal Action against good-faith security research

Currently, we do not offer a formal bug bounty program. However:

• We deeply appreciate security reports
• We will publicly credit researchers (with permission)
• We may offer recognition in future bounty programs

Security Team: security@neuropro.app General Inquiries: Contact via GitHub issues (non-security only) Privacy Questions: privacy@neuropro.app

We recognize security researchers who help keep NeuroPro safe:

No vulnerabilities reported yet

Last Updated: January 2025 Next Review: Quarterly (April 2025)