CIDX follows a rolling release model. Security fixes are applied to the latest
release on the master branch. Please make sure you are running the most recent
release before reporting a vulnerability.
| Version | Supported |
|---|---|
Latest release (master) |
Yes |
| Older releases | No |
Please report security vulnerabilities privately. Do not open a public issue, pull request, or discussion for a suspected vulnerability.
- Go to the Security Advisories page.
- Click Report a vulnerability to open a private advisory.
- Include reproduction steps, affected version(s), and an impact assessment.
We will acknowledge your report, work with you to understand and validate the issue, and coordinate a fix and disclosure timeline.
CIDX has a meaningful security surface, particularly in Server and Cluster mode. Reports concerning the following areas are especially valued:
- Authentication and authorization (OAuth 2.0 / OIDC, role-based permissions).
- TOTP step-up elevation for administrative operations.
- The X-Ray evaluator sandbox (AST whitelist, restricted builtins, process isolation).
- Multi-user and multi-tenant data isolation across golden and activated repositories.
Relevant architecture is documented under docs/security/, docs/totp-elevation.md, and docs/oidc-setup-and-configuration.md.
We support coordinated disclosure. Please give us a reasonable opportunity to release a fix before disclosing a vulnerability publicly.