Do not open a public issue for security vulnerabilities.
Please report security issues privately via GitHub Security Advisories:
- Go to https://github.com/OpenCoworkAI/open-codesign/security/advisories/new
- Fill in the form with reproduction steps and impact assessment
- We will acknowledge within 72 hours and provide an initial response within 7 days
For urgent or sensitive matters, you may also email security@opencowork.ai (PGP key TBD).
This project is in pre-alpha. Only the latest commit on main is supported. Once 1.0 is released, we will support the latest minor version.
We follow coordinated disclosure: we will work with you on a fix before public disclosure, and credit you in the advisory unless you prefer to remain anonymous.
- Code execution, sandbox escape, or privilege escalation in the Electron app
- API key exfiltration or unsafe credential storage
- Vulnerabilities in our build/release pipeline
- Issues in dependencies that affect us materially
- Vulnerabilities in third-party LLM APIs (report to those vendors)
- Issues that require physical access to the user's unlocked machine
- Social engineering attacks against users