We take security seriously and appreciate responsible disclosure of vulnerabilities. If you discover a security vulnerability in GSD-NG, please report it through GitHub's private vulnerability reporting instead of opening a public issue. Alternatively, email security@devchroma.nl.
When reporting a vulnerability, please include:
- Description - A clear description of the vulnerability
- Reproduction Steps - How to reproduce the issue
- Potential Impact - What could be affected or compromised
- Optional Suggested Fix - If you have a proposed solution
We commit to:
- Acknowledgment - Responding within 48 hours
- Initial Assessment - Providing an initial assessment within one week
- Fix Timeline - Based on severity:
- Critical issues: Targeted for 24-48 hours
- High severity: Within one week
- Medium/Low severity: Included in the next release
Security researchers who follow responsible disclosure practices will be recognized in release notes. Anonymity is available upon request if preferred.
Security issues affecting the GSD-NG codebase, including:
- Vulnerabilities that could enable arbitrary code execution
- Issues that could leak sensitive information (e.g., API credentials)
- Problems that could undermine the reliability of generated plans and code