This project is under active development. Security fixes are applied to the latest main branch first.
Please do not open a public GitHub issue for security-sensitive findings.
Report privately by contacting the maintainers with:
- A clear description of the issue
- Impact and severity assessment
- Reproduction steps or PoC
- Suggested remediation (if available)
If you have encrypted disclosure preferences, include your public key details in the initial message and we will coordinate accordingly.
- We acknowledge receipt as quickly as possible.
- We validate and triage the report.
- We patch and test the fix.
- We publish a coordinated advisory/changelog entry.
- Never commit API keys or secrets to the repository.
- Backend runs locally by default; treat
.envas sensitive. - Third-party AI providers can impose data policy constraints; review provider privacy settings before use.