This plugin is part of CapyDeploy. For security concerns affecting the overall project, please refer to the main project's security policy.

As an early-stage project, only the latest version receives updates.

If you discover a potential security issue, please report it responsibly:

1. Do NOT open a public issue
2. Do contact the maintainer privately via GitHub Discussions (private message) or email
3. Include as much detail as possible to help reproduce and understand the issue

• Acknowledgment: Within 72 hours
• Initial assessment: Within 1 week
• Resolution timeline: Depends on complexity, communicated after assessment

This policy applies to:

• The Decky plugin Python backend (WebSocket server, pairing, uploads)
• The React/TypeScript frontend running inside Decky Loader
• Pairing token storage and management
• File upload handling and Steam shortcut creation

Out of scope:

• Decky Loader itself — report to SteamDeckHomebrew/decky-loader
• CapyDeploy Hub — report to lobinuxsoft/capydeploy
• Third-party dependencies — report to their respective projects

This plugin handles:

• Pairing tokens: Stored locally in ~/homebrew/settings/capydeploy.json
• WebSocket connections: From CapyDeploy Hub on the local network
• File uploads: Game files received and written to disk
• Steam shortcuts: Modification of Steam configuration via SteamClient APIs

1. Only pair with devices you trust on your local network
2. Keep Decky Loader and the plugin updated
3. Review connected hubs periodically in the plugin panel

Contributors who responsibly report valid issues will be credited in release notes (unless they prefer anonymity).