| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Do not open a public GitHub issue. Report security vulnerabilities privately via email:
You will receive an acknowledgment within 48 hours, and we will work with you to understand the scope and impact of the issue.
| Event | Expected Timeframe |
|---|---|
| Initial acknowledgment | 48 hours |
| Triage & investigation | 5 business days |
| Fix development | 10 business days |
| Patch release | 15 business days |
- We will acknowledge receipt of your report within 48 hours.
- We will confirm the vulnerability and determine its impact within 5 business days.
- We will release a fix and public advisory as soon as possible, coordinated with you if desired.
- Public disclosure is delayed until a fix is available and users have had reasonable time to upgrade.
- API Keys — Never hardcode provider API keys. Use environment
variables (
.envfile, CI secrets, etc.). - Source Validation — Verify URLs passed to
Knowledge.create()orfetch_url()come from trusted sources. The SDK does not validate content — it delegates extraction to the configured LLM. - Bundle Integrity — Use
BundleSerializer.validate()to check that bundle files are structurally consistent after writing. - Updates — Keep the SDK and its dependencies up to date
(especially
litellmandpydantic). - Dependency Scanning — Run
pip-auditorsafetyon your environment to check for known vulnerabilities in dependencies.