Security & Safety

Built Private.
Hardened by Design.

Biome is local-first software. Your data, keys, and conversations never touch our servers. Below is an honest account of how we protect you — from the gateway layer down.

lock Local First Keys and conversations live on your machine. Always.
verified_user SSRF Hardened All outbound network requests are validated and host-allowlisted.
gpp_maybe Exec Approval Commands require explicit approval. Timeouts block, not bypass.
policy Trust Isolation External content is quarantined from trusted operator context.
Biome Gateway — Updated Security Model

What changed in the new version.

v2026.4+

The Biome gateway that powers Biome's AI skill system received a significant security update. These changes address real attack surfaces — network request abuse, command execution edge cases, and untrusted input leakage — without breaking the features you rely on.

Server-Side Request Forgery (SSRF) is an attack where a server is tricked into making requests to internal or unintended hosts on your behalf. We've added strict controls to prevent this across all network-touching features.

Attachment Uploads

All file-consent upload targets are validated against HTTPS-only, host allowlists, and private-IP DNS checks before any upload begins.

Web Fetch & Search

Outbound web requests use hardened DNS-pinning dispatchers. HTTP/2 upgrade is disabled on guarded fetches to prevent protocol-level bypasses.

Media & External APIs

Gateway-side attachment and media downloads are routed exclusively through vetted HTTPS endpoints. Arbitrary remote hosts cannot be followed.

When the AI requests to run a command, you must approve it. A previous edge case allowed approval timeouts to inadvertently unblock execution. This is now fixed — timeouts result in a hard block, not a silent pass-through.

Timeout = Blocked

If an approval prompt times out, the command is blocked on both the gateway and node exec hosts. The fallback path no longer silently executes timed-out commands.

Cross-Platform Approvals

Mobile exec approvals (iOS, Apple Watch) now use hardened notification flows with proper recovery when devices are locked or backgrounded — no stale approval state.

External content — from webhooks, wake events, runtime notifications, and background tasks — is now explicitly tagged as untrusted before it enters the AI's context. This prevents lower-trust content from masquerading as trusted operator input.

Runtime Events

Background task completion notices and relay outputs are marked as untrusted system events. They cannot re-enter the main session as trusted operator text.

External Hooks & Wake Events

Content delivered via external wake triggers is queued as untrusted. External sources cannot inject trusted instructions into a running session.

Internal tool call data and system metadata are kept separate from user-visible conversation history. Raw internal structures no longer leak into rendered views or subsequent turns of a conversation.

No Internal Leakage

Tool call XML blocks and internal commentary are sanitized out of all user-facing history views and follow-up replies. What you see is what the model intended to show.

Consistent History

Session history sequence numbers stay monotonic. Streamed and reloaded views are consistent — no divergence between live and replayed conversation state.

The small amount of server-side infrastructure Biome uses (for onboarding and account management) is rate-limited and hardened. We minimise server-side exposure by design.

Server Rate Limits

Our onboarding backend enforces per-IP rate limiting to prevent abuse. OTP codes expire in 10 minutes and cannot be reused.

No Key Storage

Your AI API keys are stored exclusively in your device's local storage. Our servers never see them. AI calls go directly from your machine to the provider.

Platform Note

Why does macOS block Biome?

When you open Biome for the first time, macOS may show a warning that the app cannot be verified. This is Gatekeeper — Apple's system for flagging apps without a paid Developer Certificate.

Apple charges developers $99/year for the certificate required to pass this check automatically. Biome is free, independent software. We distribute without the paid enterprise certificate.

Our position

Developers should not have to pay annual fees to share free software. The warning is cosmetic — it says nothing about what the app actually does. The source code behind Biome's local gateway is open for inspection.

How to open Biome on macOS

  1. 01

    Open the downloaded .dmg file and drag Biome to your Applications folder.

  2. 02

    Open System Settings → Privacy & Security.

  3. 03

    Scroll down to find the Biome blocked message and click Open Anyway. Confirm with your password or Touch ID.

  4. 04

    Done. Biome opens normally from this point on — you will never see this prompt again.

On Windows: click More Info → Run Anyway in the SmartScreen prompt. Same one-time confirmation.

Responsible Disclosure

Found a security issue?

We take every report seriously. Please disclose privately so we can fix it before it affects users. Include a description, reproduction steps, and the component affected.

mail Report Privately