PromptForge is actively developed on the main branch. We provide security
fixes for the latest release only.
| Version | Supported |
|---|---|
| latest | ✅ |
| < 1.0 | ❌ (pre-release) |
We take security seriously. If you discover a security vulnerability in PromptForge, please do not open a public issue.
Instead, please report it privately via one of:
- GitHub Security Advisories (preferred): Report a new vulnerability
- Or email the maintainer directly if an email is listed in their GitHub profile.
Please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, or a proof-of-concept.
- Affected versions/commits.
- Any suggested mitigations.
We will acknowledge receipt within 72 hours and aim to provide an initial assessment within 7 days. We appreciate coordinated disclosure and will credit reporters (unless they prefer to remain anonymous) in any advisory we publish.
This policy covers the PromptForge codebase in this repository. It does not cover:
- Vulnerabilities in third-party dependencies (report those upstream).
- Issues in forks or deployments you don't control.
- Self-XSS or social-engineering attacks requiring the victim to attack themselves.
- Keep dependencies up to date (
bun update). - Do not commit your
.envfile or database — they are gitignored by default. - Run PromptForge behind HTTPS in production.
- Review community-submitted prompts (they enter with
status: pending) before promoting them toapproved.