We take the security of CodeFix-Env seriously. If you discover a security vulnerability, we appreciate your responsible disclosure and will work quickly to address it.
Preferred Method:
Open a new discussion in the GitHub Discussions section of this repository.
- Please use the Private vulnerability report option if available, or clearly mark the discussion as sensitive.
Important: Do not create public issues for security vulnerabilities. Use Discussions or email instead.
When submitting a report, please provide the following information:
- Clear description of the vulnerability
- Steps to reproduce the issue
- Affected version(s)
- Potential impact
- Any suggested mitigation or fix (if known)
- You will receive an acknowledgment within 48–72 hours.
- We will provide regular updates on the status of your report.
- We aim to resolve confirmed vulnerabilities as quickly as possible.
- We follow responsible disclosure practices.
- Please do not publicly disclose the vulnerability until a fix has been released (typically within 90 days).
- Once resolved, we will publish a GitHub Security Advisory and credit you (unless you prefer to remain anonymous).
In Scope:
- Sandbox or container escapes
- Remote Code Execution (RCE)
- Authentication / Authorization bypass
- Sensitive data exposure
- Denial of Service affecting the host
Out of Scope:
- Issues found only in example code or documentation
- Attacks requiring physical or admin access
- Vulnerabilities in downstream LLMs
Thank you for helping keep CodeFix-Env secure! 🙏