Currently, only the latest version of dev-agent receives security updates.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of dev-agent seriously. If you discover a security vulnerability, please follow these steps:
Please do not create a public GitHub issue for security vulnerabilities. This helps protect users who haven't yet updated to a patched version.
Send a detailed report to the project maintainers via:
- GitHub Security Advisories: Use the "Report a vulnerability" button in the Security tab
- Direct Contact: Open a private discussion in the repository
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity
- Steps to Reproduce: Detailed steps to reproduce the issue
- Environment: Version, OS, Node.js version, etc.
- Proof of Concept: If available (code snippets, screenshots)
- Suggested Fix: If you have recommendations
## Vulnerability Description
[Brief description of the vulnerability]
## Impact
[What can an attacker do? What data is at risk?]
## Steps to Reproduce
1. [First step]
2. [Second step]
3. [And so on...]
## Environment
- dev-agent version: 0.1.0
- Node.js version: 22.0.0
- Operating System: macOS 14.0
## Proof of Concept
[Code snippet or screenshot]
## Suggested Fix
[If you have any suggestions]
- Acknowledgment: Within 48 hours of report
- Initial Assessment: Within 7 days
- Status Updates: Every 7 days until resolved
- Fix Release: Depends on severity (critical issues within 7 days)
When using dev-agent, we recommend:
- Keep Updated: Always use the latest version
- Review Permissions: Understand what file access is granted
- Environment Variables: Don't expose sensitive data in
.dev-agent/config.json - Repository Access: dev-agent reads your codebase - ensure it's running in trusted environments
- MCP Configuration: Secure your
~/.cursor/mcp.jsonfile with appropriate permissions
- Dependencies: Keep dependencies up to date
- Code Review: All code changes require review before merge
- Input Validation: Validate all user inputs and API responses
- Sensitive Data: Never log sensitive information
- Tests: Include security tests for new features
dev-agent requires read access to your repository files for indexing. It:
- ✅ Respects
.gitignore- Won't index ignored files - ✅ Local Only - All data stays on your machine
- ✅ No Network Calls - Embeddings run locally
- ❌ Write Access - Does NOT write to your codebase (read-only)
The MCP server:
- Runs locally via STDIO transport
- No network exposure by default
- Controlled by your IDE (Cursor/Claude)
- Respects OS-level file permissions
- Vector Indexes: Stored in
~/.dev-agent/indexes/ - Configuration: Stored in
~/.dev-agent/config.json - No Telemetry: We don't collect usage data
- No Cloud: Everything stays local
- ✅ Input Validation: All MCP tool inputs validated
- ✅ Rate Limiting: Per-tool request limits (100 req/min)
- ✅ Error Handling: Graceful error handling without exposing internals
- ✅ Sandboxed Execution: MCP server runs with limited permissions
- ✅ Type Safety: TypeScript strict mode enabled
- ✅ Memory Bounds: Circular buffers prevent memory exhaustion
- Configurable rate limits
- Audit logging for MCP operations
- Index encryption at rest
- Signed releases with checksums
We appreciate responsible disclosure of security vulnerabilities. Security researchers who report valid vulnerabilities will be:
- Acknowledged: In release notes (with permission)
- Credited: In SECURITY.md
- Updated: On fix timeline and resolution
Security updates are released as:
- Patch versions (0.1.x) for low-severity issues
- Minor versions (0.x.0) for medium-severity issues requiring breaking changes
- Immediate hotfix for critical vulnerabilities
Subscribe to releases on GitHub to get notified of security updates.
If you have questions about security but haven't found a vulnerability, feel free to open a discussion in the repository.
Last Updated: 2025-11-26
Policy Version: 1.0