| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
If you discover a security vulnerability in AllBeads, please report it responsibly:
- Do NOT open a public GitHub issue for security vulnerabilities
- Email security concerns to the maintainer directly
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Depends on severity
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: Next release
AllBeads supports multiple authentication strategies for git operations:
- SSH Agent (recommended)
- Personal Access Tokens
- SSH Keys
Best Practices:
- Use SSH Agent for interactive use
- Use scoped Personal Access Tokens for CI/CD
- Never commit credentials to the repository
- Beads data is stored in
.beads/directories within git repositories - Cache data is stored in
~/.config/allbeads/ - SQLite databases contain cached bead data only (no credentials)
When using JIRA or GitHub integrations:
- API tokens are stored in the user's config directory
- Tokens should have minimum required permissions
- Review token scopes before granting access
The allbeads janitor command scans for potential security issues:
- Hardcoded secrets in source code
- SQL injection patterns
- Unsafe eval usage
Run periodically to catch potential issues early.