This document describes how to report vulnerabilities and what versions are supported.
| Version | Supported |
|---|---|
| v0.1.0 | ✅ |
| < earlier | ❌ |
We currently support the latest tagged release only. Security fixes will be backported on a best‑effort basis.
Do not open a public issue for security reports. Instead, choose one of the following private channels:
-
GitHub Security Advisory (preferred):
- Go to the repository → Security tab → Advisories → Report a vulnerability.
- Provide a minimal, reproducible example (
spec.json+.feature) and environment details.
-
Email:
- Send details to erickjativa@gmail.com with the subject:
Security report: Daedalus Studio.
- Send details to erickjativa@gmail.com with the subject:
Please include:
- Affected version/commit hash
- Environment (OS, Node, pnpm), LM Studio model + server version
- Steps to reproduce (minimal inputs)
- Impact assessment (what can an attacker do?)
- Any suggested mitigations
We aim to acknowledge valid reports within 3 business days and provide a remediation plan or mitigation timeline within 10 business days. Critical issues may be addressed with an out‑of‑band patch release.
- CLI (
src/cli.ts), backend (src/server.ts), UI (ui/src/*), schema/prompt files - Build & distribution scripts
Out of scope (unless impact is demonstrated):
- Local model vulnerabilities in third‑party software (e.g., LM Studio internals)
- Operating system or browser flaws
We follow responsible disclosure. After a fix is available, we may publish a summary in the release notes and credit reporters (opt‑in). If you prefer to remain anonymous, please state so in your report.