Please do not report security vulnerabilities through public GitHub issues.
Instead, use GitHub's private vulnerability reporting for this repository. If private reporting is unavailable in your client, open a maintainer contact request in GitHub Discussions without disclosing the vulnerability details.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix timeline: Depends on severity, but we aim for:
- Critical: 24-48 hours
- High: 1 week
- Medium/Low: Next release
Security issues in the THRUNT codebase that could:
- Execute arbitrary code on user machines
- Expose sensitive data (API keys, credentials)
- Compromise the integrity of generated plans/code
We appreciate responsible disclosure and will credit reporters in release notes (unless you prefer to remain anonymous).