Do not open a public issue.

Preferred: Use GitHub's private vulnerability reporting — click "Report a vulnerability" on the Security tab of this repository. This creates a private advisory draft with a CVE workflow.

Alternative: Email [email protected] with details.

Include as much detail as possible:

• Description of the vulnerability
• Steps to reproduce
• Affected component (LLM providers, secret scanning, git operations, config)
• Potential impact

You will receive an acknowledgment within 7 days. Fixes for confirmed vulnerabilities will be released as patch versions with a security advisory.

Security issues in the following areas are in scope:

• LLM streaming — buffer exhaustion, response size limits, malformed server responses
• Secret scanning — pattern bypass, false negatives on known key formats
• Config security — project-level config overrides that could redirect API traffic or exfiltrate data
• Git operations — command injection via file paths, argument injection
• Error messages — credential or URL leakage in error output
• Prompt injection — crafted diff content that manipulates LLM behavior to produce harmful output
• Dependency vulnerabilities — reqwest, tokio, tree-sitter, serde

• LLM output quality (wrong commit type, generic subjects) — use the issue tracker
• Feature requests — use the issue tracker
• Vulnerabilities in Ollama, OpenAI, or Anthropic services themselves