Security updates are provided for the latest 1.0.x release line.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Report privately through one of the following channels:
- GitHub Security Advisories (preferred): open a private advisory via the repository's Security → Advisories → Report a vulnerability page.
- Email:
security@gerdsen.ai
Please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, ideally a minimal proof of concept.
- Affected version(s) (see
builder/VERSIONand the plugin manifest). - Any suggested remediation, if you have one.
- Acknowledgement of your report within 3 business days.
- Initial assessment (severity, validity, affected versions) within 7 business days.
- We will keep you informed of remediation progress and coordinate a disclosure timeline with you. Please allow us a reasonable window to ship a fix before any public disclosure.
We appreciate responsible disclosure and will credit reporters who wish to be acknowledged.
This project takes security seriously:
- It undergoes adversarial red-team review (multi-domain analysis covering code, security, and supply-chain concerns) as part of its release process.
- It ships an input sanitizer that allowlists rendering markup, validates attributes, and escapes untrusted text before it reaches the PDF renderer.
- It includes an SSRF guard for outbound requests (blocking private, loopback, and cloud-metadata addresses, disabling redirects, and capping response size).
Despite these measures, no software is perfectly secure — your reports help keep it that way.