Skip to content

Security: duggan/filetranscriber

Security

SECURITY.md

Security

FileTranscriber runs entirely on your Mac. Transcription is done on-device with WhisperKit; nothing you transcribe leaves the machine.

What FileTranscriber stores

  • Whisper model files — downloaded once from FileTranscriber's own GitHub release assets into ~/Library/Application Support/FileTranscriber/Models/, and verified against a bundled SHA-256 before use. Subsequent transcriptions are fully offline.
  • Preferences — chosen model, language, and translate toggle, in ~/Library/Preferences/ie.duggan.filetranscriber.plist. No secrets.

FileTranscriber has no telemetry, no analytics, no crash reporting, and no remote logging.

Network use

  • First-run model download from GitHub release assets (github.com / objects.githubusercontent.com). By default FileTranscriber does not contact Hugging Face or any other third-party model host. After the model is cached, no network is required.
  • Power users can change the model source in Settings → System → Advanced. Choosing Hugging Face makes first-run downloads come from huggingface.co instead (no checksum verification); choosing Local folder loads a model you provide from disk, with no network at all. The default (FileTranscriber's verified GitHub assets) is unchanged for everyone else.

Supported versions

Only the latest released version is supported.

Reporting a vulnerability

Please email ross@duggan.ie with details. I'll respond as soon as I can. For non-sensitive bugs, prefer a GitHub issue.

There aren't any published security advisories