Please do NOT open a public GitHub issue for security vulnerabilities.
Instead, use GitHub Security Advisories to report vulnerabilities privately.
Include in your report:
- A description of the vulnerability and its potential impact
- Steps to reproduce
- Affected versions
- A proposed fix (if any)
We aim to acknowledge reports within 48 hours and provide a resolution timeline within 7 days of confirmation.
| Version | Supported |
|---|---|
| 0.7.x | ✅ Active support |
| 0.6.x | |
| < 0.6 | ❌ End of life |
- API keys are stored via
bog-agents vars set(encrypted vault) or environment variables; never hardcoded. - Daemon API binds to
127.0.0.1(localhost only) by default and requires a token stored at~/.bog-agents/daemon/token(mode 0o600). - Webhook secrets are validated with HMAC-SHA256 (
hmac.compare_digestfor timing-safe comparison). - File output paths are restricted to the user's home directory and
/tmpto prevent path traversal. - Git hook scripts use
shlex.quote()to prevent shell injection. - Auth token comparison uses
hmac.compare_digestto prevent timing attacks.