If you discover a security vulnerability in parapilot, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
-
GitHub Private Vulnerability Reporting (preferred): Go to Security Advisories and create a new advisory.
-
Email: Send details to kimimgo@gmail.com
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Action | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Patch release | Within 7 days of confirmation |
- Security issues are disclosed after a patch is released
- Credit is given to reporters (unless anonymity is requested)
| Version | Supported |
|---|---|
| 0.1.x | Yes |
The following are in scope:
- Path traversal via
PARAPILOT_DATA_DIR - MCP protocol injection
- Arbitrary code execution via pipeline DSL
- Dependencies with known CVEs