The merlin-lite binary makes zero network calls. The Python integration glue likewise makes no HTTP/HTTPS requests.
You can verify this yourself:
strings bin/merlin-lite-windows-x64.exe | grep -iE "http|wininet|winhttp"
grep -ri "urllib\|requests\|httpx" shared/ vscode/Both return nothing.
If you discover a security vulnerability, please do not file a public issue.
Email: security@corbenic.ai
We aim to respond within 48 hours during European business hours. We commit to:
- Acknowledging your report
- Investigating and reproducing
- Releasing a fix or mitigation
- Crediting you (unless you prefer to remain anonymous)
- Code-execution vulnerabilities in the Python install scripts
- File-corruption bugs in the ledger or backup logic
- Credential leakage in install / config code paths
- MCP server JSON-RPC parsing issues
- The compiled binary itself (separate disclosure process)
- Physical-access attacks
- Social engineering