| Version | Supported |
|---|---|
| 0.x.x | β |
If you discover a security vulnerability in GitSage, please report it responsibly.
DO NOT open a public issue for security vulnerabilities.
Instead, please email rameshreddy.adutla@gmail.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You will receive an acknowledgement within 48 hours, and a detailed response within 5 business days indicating next steps.
GitSage handles sensitive data including:
- GitHub tokens β used to access org repositories
- OpenAI API keys β used for embeddings and LLM calls
- Repository content β indexed and stored in the vector database
- Never commit secrets β use environment variables or
.envfiles (gitignored) - Use read-only GitHub tokens β GitSage only needs read access to repos
- Network isolation β run PostgreSQL in a private network, not exposed publicly
- Copilot Extension signatures β always verify GitHub webhook signatures in production
- Regular token rotation β rotate API keys periodically