Plamen is a security auditing tool — we take vulnerabilities in our own tooling seriously.
If you discover a security vulnerability in Plamen's pipeline, MCP server, or wrapper code, please report it responsibly:
- Do NOT open a public GitHub issue for security vulnerabilities
- Use GitHub Security Advisories to report privately via the repository's "Security" tab → "Report a vulnerability"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
The following are in scope for security reports:
- MCP server vulnerabilities (unified-vuln-db, slither-analyzer) — command injection, path traversal, data leakage
- Pipeline prompt injection — inputs that cause agents to exfiltrate data, bypass safety checks, or produce malicious output
- Credential exposure — API keys, private keys, or secrets leaked through logs, artifacts, or reports
- Wrapper code (plamen.py) — command injection via user inputs passed to subprocess
The following are out of scope:
- False positives/negatives in audit findings (these are quality issues, not security bugs)
- LLM hallucinations or reasoning errors (inherent to the underlying model)
- Issues in third-party dependencies (report upstream)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix timeline: Depends on severity, but we aim for Critical within 72 hours
| Version | Supported |
|---|---|
| Latest | Yes |
| < Latest | Best effort |