| Version | Supported |
|---|---|
| 1.x.x | ✅ |
We take security seriously. If you discover a security vulnerability in PolyMind CLI, please report it responsibly.
- DO NOT open a public GitHub issue
- Email security concerns to: [your-security-email@example.com]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Response Time: We aim to respond within 48 hours
- Updates: We'll keep you informed of our progress
- Credit: Security researchers will be credited (if desired)
- Timeline: Fixes typically released within 7-14 days for critical issues
- API keys stored in
.envfiles (git-ignored) - Automatic redaction in logs and error messages
- Format validation per provider
- Null byte removal
- Control character filtering
- Length limits (10,000 chars)
- Injection attack prevention
- Default: 10 requests/minute
- Configurable via
MAX_REQUESTS_PER_MINUTE - Automatic backoff
- Safe error messages (no stack traces to users)
- Sensitive data redaction
- Debug mode for developers only
- Regular security audits via
npm audit - Automated updates for security patches
- Minimal dependency tree
-
API Keys
- Never commit
.envfiles - Use separate keys for dev/prod
- Rotate keys regularly
- Limit API key permissions
- Never commit
-
Configuration
- Review
config.jsonpermissions - Don't share configuration files
- Use environment-specific configs
- Review
-
Updates
- Keep CLI updated:
npm update -g @polymind/cli - Monitor security advisories
- Review changelogs
- Keep CLI updated:
-
Environment
- Use Node.js LTS versions
- Keep npm updated
- Run in isolated environments when possible
- No hardcoded credentials
- Input validation on all user inputs
- Sensitive data redacted in logs
- Dependencies regularly updated
- Security tests included
- Error messages don't leak info
- Rate limiting considered
- HTTPS only for API calls
We follow responsible disclosure:
- Private notification to maintainers
- Fix development and testing
- Security patch release
- Public disclosure after fix deployed
- CVE assignment for critical issues
- Security Email: [security@polymind.ai]
- GitHub Security: https://github.com/reyyanxahmed/polymind-cli/security
- GPG Key: [Optional GPG key for encrypted communications]
Thank you for helping keep PolyMind CLI secure! 🔒