We take security seriously. If you discover a security vulnerability, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please report them by:

1. Email: Send a report to the maintainer through GitHub's private vulnerability reporting feature. This ensures the report is only visible to maintainers.

2. What to include:

   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fix (optional but appreciated)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Fix timeline: Depends on severity, but we aim for a patch release within 30 days

• Never commit API keys, tokens, passwords, or credentials
• Use environment variables for secrets (os.environ.get("KEY"))
• Review the output of ruff check before submitting PRs
• Keep dependencies up to date (pip audit or uv pip compile)
• Don't use pickle on untrusted data
• Validate all external inputs in inference paths

VibeBlade has minimal dependencies:

• Required: numpy (compute), safetensors (model loading)
• Optional: onnxruntime (ONNX backend), torch (ONNX export), pybind11 (C++ extensions)
• Dev: pytest, ruff

We audit dependencies regularly and pin versions in release builds.