Security fixes are prioritized for the latest released or tagged version of Bunny Stream iOS. When practical, fixes may also be backported to recent minor versions that are still widely used.
Please keep your application on the latest SDK version whenever possible.
Please do not report security vulnerabilities in public GitHub issues.
To report a vulnerability, contact us privately at support@bunny.net with the subject line:
[Security] bunny-stream-ios
Include as much detail as you can safely share:
- Affected package (
BunnyStreamAPI,BunnyStreamUploader,BunnyStreamPlayer,BunnyStreamCameraUpload, or example app) - Affected version or commit
- Steps to reproduce
- Impact and possible attack scenario
- Any proof of concept, logs, or screenshots
- Suggested fix, if you have one
Do not include production access keys, signing certificates, provisioning profiles, customer data, or other secrets.
We aim to acknowledge security reports within a reasonable time and will follow up if we need more information. If the report is valid, we will work on a fix, coordinate disclosure timing where appropriate, and publish release notes or advisories when the issue is resolved.
In scope:
- Authentication or authorization flaws in SDK API calls
- Unsafe handling of access keys, tokens, signed URLs, certificates, or FairPlay-related data
- Upload or playback behavior that could expose private content
- Dependency or package configuration issues that affect SDK users
- Security-sensitive issues in camera recording, background uploads, or media playback flows
Out of scope:
- Vulnerabilities requiring a compromised developer machine
- Issues only present in unsupported SDK versions
- Denial-of-service scenarios with no practical impact on SDK users
- Reports without enough detail to reproduce or assess
Maintainers may use AI-assisted tooling to triage reports or review patches, but vulnerability details should be handled carefully. Do not send secrets, private customer data, or unreleased vulnerability details to third-party AI systems unless explicitly approved by the maintainers responsible for the report.