If you discover a security vulnerability in Vellum Assistant, please report it responsibly. Do not open a public GitHub issue.
Email security@vellum.ai with:
- A description of the vulnerability
- Steps to reproduce
- The potential impact
- Any suggested fix (optional)
We will acknowledge receipt within 48 hours and aim to provide a resolution timeline within 5 business days.
This policy covers the code in this repository, including:
- The assistant runtime (
assistant/) - The gateway (
gateway/) - The CLI (
cli/) - Native clients (
clients/) - The credential execution service (
credential-executor/) - The packages shared between services (
packages/)
For Socket.dev supply-chain controls and autofix operations, see docs/socket.md.
For details on Vellum Assistant's security architecture — including sandboxing, credential storage, permission modes, and trust rules — see the Security Architecture documentation.