Skip to content

Security: vidproject1/rylo-coder

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.1.x

Reporting a Vulnerability

We take the security of Rylo Coder seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email at [INSERT SECURITY EMAIL] or create a draft security advisory in the GitHub repository.

What to Include

Please include the following information in your report:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any suggested fixes or mitigations (if available)

Response Timeline

You should receive a response within 48 hours acknowledging your report.

After the initial reply, we will keep you informed of the progress toward a fix and full announcement. We may ask for additional information or guidance.

Disclosure Policy

  • We will confirm receipt of your report within 48 hours
  • We will investigate and validate the issue
  • We will develop a fix and test it thoroughly
  • We will release a patched version
  • We will publicly disclose the vulnerability after users have had time to update

We appreciate your responsible disclosure and will acknowledge your contribution when the issue is resolved.

Security Best Practices for Users

When using Rylo Coder, follow these security best practices:

  1. Review Safety Settings: Choose the appropriate safety mode (approve, allowlist, or yolo) for your use case
  2. Audit Logs: Regularly review progress/audit.log for command and path decisions
  3. API Keys: Store OpenRouter or other API keys in ~/.config/rylo-coder/settings.yaml, never commit them to the repository
  4. Protected Paths: Be aware that writes to system paths (/etc, /usr, etc.) require explicit approval
  5. Command Approval: In approve or allowlist mode, review shell commands before approving execution
  6. Keep Updated: Update to the latest version to receive security patches

Hard-Denied Patterns

The following patterns are always blocked regardless of safety mode:

  • Pipe-to-shell installers (curl ... | sh)
  • Fork bombs
  • Filesystem formatting commands
  • dd writes to block devices
  • Power control commands (shutdown, reboot, poweroff, halt)
  • Dangerous recursive deletion (rm -rf /, rm -rf ~)
  • Dangerous recursive chmod
  • Hidden payloads via sh -c

Thank you for helping keep Rylo Coder and our users safe!

There aren’t any published security advisories