For the framework's threat model and the framework-vs-application security responsibility matrix, see docs/guides/security.md.
| Version | Supported |
|---|---|
| 0.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, report them via one of the following methods:
Use GitHub's private vulnerability reporting to submit a report directly.
Send details to the repository owner via the email associated with their GitHub profile.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Resolution target: Depends on severity
| Level | Description | Target Resolution |
|---|---|---|
| Critical | RCE, data breach, auth bypass | 24-48 hours |
| High | Significant security impact | 1 week |
| Medium | Limited impact, requires specific conditions | 2-4 weeks |
| Low | Minimal impact | Next release |
Since DAZZLE generates code, consider these security aspects:
- Review generated code before deploying to production
- Generated backends should be treated as starting points, not production-ready
- Always sanitize user inputs in generated applications
- DSL files are parsed and may influence code generation
- Only use DSL files from trusted sources
- Validate DSL files in CI before merging
- We use
pip-auditin CI to check for vulnerable dependencies - Report any dependency-related concerns through the same channels
We appreciate responsible disclosure and will acknowledge security researchers in our release notes (unless anonymity is requested).