DeepSeek TUI is a coding agent with direct access to file operations, shell execution, and the network. Security disclosures are taken seriously.

Only the latest stable release receives security patches. No backports to older versions.

Check the releases page for the current version.

Do not open a public GitHub issue for security vulnerabilities.

Report privately via one of:

• Email: hmbown.dev@gmail.com — include [SECURITY] in the subject line
• GitHub private advisory: github.com/Hmbown/DeepSeek-TUI/security/advisories/new

Include in your report:

• A description of the vulnerability and the impact if exploited
• Steps to reproduce or a proof of concept
• Affected versions and configuration details
• Any suggested mitigation (optional)

You will receive status updates at each phase. If the timeline slips, we will communicate the reason and the revised estimate.

• Remote code execution through crafted prompts or model responses
• Sandbox escape — breaking out of the YOLO-mode workspace boundary or shell cwd confinement
• Credential leak — exfiltration of API keys, tokens, or environment secrets
• Arbitrary file read/write outside the intended workspace (PathEscape bypass)
• SSRF via fetch_url or web_search against internal network endpoints
• Unauthorised MCP server access or tool invocation

• Social engineering of the maintainer or contributors
• Denial of service / rate-limit exhaustion against the DeepSeek API
• Vulnerabilities in third-party dependencies (report to the upstream project)
• Attacks requiring physical access to the victim's machine
• Theoretical ML-model injection attacks not demonstrated in the DeepSeek TUI context

If you are unsure whether a bug is in scope, report it anyway. We will triage and respond.

We maintain a hall of fame for reporters who submit verified security vulnerabilities. To be credited, include your preferred name / handle in the report.

No entries yet — be the first.