Security

Responsible Disclosure

If you discover a security vulnerability in any Ares Realm Studios product, please report it privately. Do not open a public GitHub issue for security vulnerabilities.

Email: [email protected]

Include a description of the vulnerability, steps to reproduce, and any relevant logs or proof-of-concept code.

Response Timeline

Acknowledgement Within 72 hours Initial assessment Within 7 days Critical fix Within 30 days Other issues Within 90 days

Architecture Overview

A.R.E.S. Mobile is a local-first application. Understanding the attack surface:

AI inference — all local model inference runs on-device via llama.cpp. No model data or conversation content is transmitted to any server.
Voice processing — microphone audio is transcribed entirely on-device via Whisper. Audio is never uploaded.
Text-to-speech — Kokoro TTS runs fully offline via ONNX Runtime. No audio is transmitted.
Cloud providers (optional) — if configured, API keys are stored in Android's sandboxed AsyncStorage and sent only to the user's chosen provider.
Chat history — stored in a local SQLite database in the app's private sandbox. Not backed up to any cloud service.

Out of Scope

Vulnerabilities in third-party AI model weights
Issues requiring physical device access to exploit
Theoretical attacks with no practical impact
Issues in upstream dependencies where no fix is available

Acknowledgements

Researchers who responsibly disclose valid vulnerabilities will be credited in release notes if they wish.