If you discover a security vulnerability in RLM, please report it responsibly:

1. Do NOT open a public issue
2. Use GitHub Private Vulnerability Reporting
3. Or email: ahmed.makni@proton.me

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: within 48 hours
• Initial assessment: within 7 days
• Fix release: as soon as possible, depending on severity

RLM includes built-in protections (see mcp_server/tools/fileutil.py):

• Path traversal prevention - Chunk IDs validated against strict allowlist, resolved paths checked
• Atomic writes - Write-to-temp-then-rename prevents corruption
• File locking - fcntl.flock exclusive locks for concurrent access
• Content size limits - 2 MB chunks, 10 MB decompression cap
• SHA-256 hashing - For content deduplication

RLM is a local MCP server. All data is stored on disk in ~/.claude/rlm/context/. No data is sent to external services.