Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions. A public report gives attackers a head start.
Use GitHub's built-in private reporting: Security → Report a vulnerability on the open-tag repository.
This opens a confidential thread between you and the maintainers. GitHub keeps it private until a fix is published and a CVE (if warranted) is issued.
If you cannot use GitHub's private reporting, contact the maintainer @fancyboi999 on GitHub.
Include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a proof-of-concept (as minimal as possible).
- The version(s) affected.
- Any suggested mitigations you have in mind.
We will acknowledge your report within 72 hours and aim to issue a fix or mitigation within 14 days for critical issues. We will keep you informed as the fix progresses and credit you in the advisory unless you prefer to remain anonymous.
| Version | Supported |
|---|---|
Latest main |
Yes |
| Older tags | Best-effort (patch may land only on main) |
open-tag is early-stage software. We strongly recommend running the latest
commit from main or the most recent daemon release on npm
(@fancyboi999/open-tag-daemon).
ALLOW_DEV_LOGIN=truemints JWTs with no password — development only.NODE_ENV=productiondisables it as a second line of defense.DAEMON_BOOTSTRAP_KEYdefaults to a placeholder (poc-secret-key) in dev. Set a strong random value in.envbefore any network-accessible deployment.- Agent tokens are per-agent
sk_agent_*secrets hashed with bcrypt. They are rotated on every agent turn.
See docs/authorization.md for the full access-control model and known
hardening gaps.
- Issues already tracked in
docs/tech-debt-tracker.mdwith aPendingorDeferredstatus (unless you have a working exploit). - Self-hosted misconfigurations (e.g. exposing the server to the internet without TLS or a reverse proxy).