| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
We take security seriously. If you discover a security vulnerability, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email the maintainer directly or use GitHub's private vulnerability reporting feature
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Regular updates on the progress
- Credit in the security advisory (if desired)
This security policy covers:
- The OpenCode Cursor Proxy codebase
- Authentication and credential handling
- API communication security
- Vulnerabilities in Cursor's official services
- Issues in upstream dependencies (report to respective maintainers)
- Social engineering attacks
When using this project:
- Protect your credentials: Never commit or share your Cursor access tokens
- Use environment variables: Store sensitive data in environment variables
- Keep dependencies updated: Regularly update to get security patches
- Review permissions: Understand what access this plugin requires
- Access tokens are stored locally using OpenCode's credential storage
- Tokens are automatically refreshed before expiration
- Refresh tokens should be treated as sensitive credentials
- All API communication uses HTTPS
- The proxy server (if used) runs locally by default
- This plugin processes your code and conversations
- No data is stored beyond what's needed for the session
- Review Cursor's privacy policy for their data handling practices
This is an unofficial, experimental project. Use at your own risk. See the main README for full disclaimers.