Support

VoxRox Mail is in active development (alpha). Thank you for your patience and for every piece of feedback.

I need help or want to report a bug

The fastest route is an e-mail to info@voxrox.org or a new issue on GitHub:

github.com/TheVoxRox/mail/issues — bugs, feature requests, questions.

So we can help as quickly as possible, please include:

The application version (Help → About, or the appVersion field in session.json).
Your Windows version.
Your e-mail provider (Gmail, Outlook, Seznam, custom server) and login method (password / OAuth).
The steps that reproduce the problem.

Diagnostic bundle

If we ask for it, you can manually export a diagnostic bundle (GET /api/internal/diagnostic-dump). It contains only masked e-mail addresses, account configuration (host, port, SSL), synchronization status and runtime metrics. It does not contain credentials, OAuth tokens, message bodies or subjects. See the Privacy Policy for details.

Supported versions

Only the latest released installer (distributed via the GitHub Releases page) receives security fixes. Pre-release tags and unreleased commits are not supported.

Version	Supported
`latest`	Yes — current release
Older	No — please update

Reporting a security issue

Please do not report security issues in the public issue tracker. Email info@voxrox.org. We treat every report as private until a fix and a release are available.

Please include:

A description of the issue and how to reproduce it.
The affected version (Help → About or the appVersion field in session.json).
Your operating system, mail provider, and whether the issue requires network access to a specific server.
A proof-of-concept if you have one (in any format).

You should receive an acknowledgement within 7 calendar days. Our default disclosure window is 90 days from the initial report, extended by mutual agreement if a fix requires a longer rollout.

What counts as a vulnerability

Cross-site scripting (XSS) in rendered mail content despite the HTML sanitiser.
Bypass of the SSRF guard in the Tauri / Spring loopback handshake.
Bypass of the API-key header check.
Plain-text credentials written anywhere on disk (passwords and OAuth refresh tokens must be encrypted at rest).
Token leakage into log files.
IMAP / SMTP downgrade attacks (forced STARTTLS strip).
Privilege escalation against the sidecar process.

What does not count

Theoretical issues without a working demonstration.
Reports targeting third-party services we depend on (Gmail, Microsoft 365, Seznam) — please report those directly to the provider.
DoS by physically destroying the device the app runs on.

We will credit reporters in the release notes unless they prefer to remain anonymous.