| Version | Supported |
|---|---|
| latest | ✅ |
Please do not open a public GitHub issue for security vulnerabilities.
If you discover a security vulnerability in this project, please report it responsibly:
- Email: Send a detailed report to the maintainers via a private channel (open a GitHub Security Advisory on this repository).
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You should receive an acknowledgment within 48 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.
The following are in scope:
- Injection vulnerabilities (SQL injection, XSS, command injection)
- Sensitive data exposure (credentials, tokens, PII leaks in SQLite database)
- Path traversal or file access issues (e.g. via hook handler or transcript paths)
- Dependency vulnerabilities with a known exploit
The following are out of scope:
- Denial of service via rate limiting (we acknowledge this and plan to address it)
- Self-hosted deployment misconfigurations
- We follow coordinated disclosure.
- We aim to release a fix within 14 days of confirming a vulnerability.
- Credit will be given to reporters in the release notes unless they prefer to remain anonymous.