If you discover a security issue in scrnr, please report it through GitHub Security Advisories.
Do not open a public issue for security vulnerabilities.
You should receive an initial response within a few days. If the vulnerability is confirmed, a fix will be prioritized and released as soon as practical.
scrnr runs as an unprivileged user-space application with no sandbox, no network access, and no entitlements. It interacts with:
- CoreGraphics display configuration APIs
- IOKit framebuffer interfaces (Intel only)
- SkyLight private framework for rotation
- UserDefaults for storing recent resolutions
The most relevant security surface is the use of dlopen/dlsym to load private framework symbols at runtime.
Only the latest release is supported with security fixes.