| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
DO NOT report security vulnerabilities through public GitHub issues.
Report vulnerabilities via email to: security@goondocks.co
Include in your report:
- Type of vulnerability
- Affected source file(s) and location (tag/branch/commit or URL)
- Steps to reproduce
- Proof-of-concept or exploit code (if possible)
- Impact assessment
| Stage | Timeframe |
|---|---|
| Initial acknowledgment | Within 48 hours |
| Status updates | At least every 7 days |
| Coordinated disclosure | Within 90 days |
- Acknowledgment within 48 hours
- Assessment of vulnerability and impact
- Plan for remediation
- Regular progress updates
- Credit for discovery (if desired) upon disclosure
- Never commit secrets — use environment variables (
GITHUB_TOKEN,ANTHROPIC_API_KEY) - Review AI-generated output before applying changes to your codebase
- Protect
.oak/directory — it contains project configuration - Use minimal token scopes and rotate API tokens regularly
Security patches are released as patch versions and announced via:
- Vulnerability reports: security@goondocks.co (email only)
- General security questions: GitHub Discussions