Skip to content

Security: ComposioHQ/composio

Security

Report a vulnerability

.github/SECURITY.md

Security Policy

Reporting a Vulnerability

We take the security of Composio seriously. If you believe you have found a security vulnerability, please report it to us through GitHub Security Advisories or drop us an email at [email protected]

How to Report

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them using one of the following methods:

  1. GitHub Security Advisory (Preferred): Report a vulnerability directly through GitHub by visiting:

  2. Email: If you prefer not to use GitHub Security Advisories, you can email security concerns to the maintainers.

What to Include

Please include as much of the following information as possible:

  • Type of vulnerability
  • Full paths of source file(s) related to the vulnerability
  • Location of the affected source code (tag/branch/commit or direct URL)
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the vulnerability, including how an attacker might exploit it

Response Timeline

  • We will acknowledge your report within 48 hours
  • We will provide a more detailed response within 7 days indicating the next steps
  • We will keep you informed of the progress toward resolving the issue
  • We may ask for additional information or guidance
  • Please DO NOT test against production systems without permission
  • Please DO NOT access or modify user data
  • Please DO NOT exploit vulnerabilities beyond what is needed for a proof of concept. For instance, on discovery of a credential or unauthorized access to a protected resource, do not attempt to exploit the vulnerability to gather all resources that can be accessed

Supported Versions

We release patches for security vulnerabilities. Please ensure you are using the latest version of Composio.

Disclosure Policy

  • We follow coordinated disclosure practices
  • Security advisories will be published after a fix is available
  • We appreciate responsible disclosure and will acknowledge reporters in the advisory (unless you prefer to remain anonymous)

Thank you for helping keep Composio and our users safe!

We follow responsible disclosure practices and work with researchers to ensure vulnerabilities are properly addressed before public disclosure.

There aren’t any published security advisories