If you find a security issue in Qdecision, do not open a public issue first.
Please provide:
- a concise description of the vulnerability
- reproduction steps or a proof of concept
- affected provider path if relevant (
Ollama/OpenAI) - impact assessment if known
Until a private reporting channel is configured, report responsibly through a direct maintainer contact path instead of public disclosure.
Relevant areas include:
- API route authorization or owner isolation
- prompt or structured output injection paths
- data leakage across browser owners
- secrets or environment variable exposure
- unsafe logging of prompts or responses