Do not open a public GitHub issue for security vulnerabilities.

Report vulnerabilities privately via GitHub Security Advisories: Settings → Security → Advisories → Report a vulnerability

We aim to respond within 5 business days and to release a fix within 30 days for critical issues.

Issues we consider in scope:

• Prompt injection — external content causing the agent to deviate from its instructions
• PII leakage — the agent repeating or storing user-provided personal data
• System prompt exfiltration — the agent revealing its system prompt verbatim
• Credential exposure — secrets committed to the repository or leaked in logs
• Dependency CVEs — HIGH or CRITICAL severity vulnerabilities in pinned dependencies

Automated red-team tests run on every pull request via promptfoo. The test suite in tests/evals/promptfoo.yaml covers:

• Prompt injection attempts
• Jailbreak via roleplay and direct override
• System prompt exfiltration
• PII handling
• Harmful content refusal

To add a new test case, append to tests/evals/promptfoo.yaml and open a PR.

Dependencies are audited automatically:

• pip-audit runs on every push to main and weekly on Monday
• trufflehog scans git history for secrets on every push to main
• CodeQL static analysis runs on every push to main

To acknowledge a false-positive CVE, add a comment # audit-ignore: CVE-YYYY-XXXXX <reason> on the relevant dependency line in pyproject.toml.

• Never commit .env files — they are gitignored
• Use detect-secrets (pre-commit hook) to prevent accidental credential commits
• In CI, secrets are stored as GitHub repository secrets and never printed to logs
• GCP authentication uses a service account key stored as GCP_SA_KEY secret — rotate it annually or immediately if compromised