Skip to content

Security: GerdsenAI/GerdsenAI-Agentic-Devtools

Security

SECURITY.md

Security Policy

Supported versions

Security updates are provided for the latest 1.0.x release line.

Version Supported
1.0.x
< 1.0

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Report privately through one of the following channels:

  • GitHub Security Advisories (preferred): open a private advisory via the repository's Security → Advisories → Report a vulnerability page.
  • Email: security@gerdsen.ai

Please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce, ideally a minimal proof of concept.
  • Affected version(s) (see builder/VERSION and the plugin manifest).
  • Any suggested remediation, if you have one.

Response expectations

  • Acknowledgement of your report within 3 business days.
  • Initial assessment (severity, validity, affected versions) within 7 business days.
  • We will keep you informed of remediation progress and coordinate a disclosure timeline with you. Please allow us a reasonable window to ship a fix before any public disclosure.

We appreciate responsible disclosure and will credit reporters who wish to be acknowledged.

Our security posture

This project takes security seriously:

  • It undergoes adversarial red-team review (multi-domain analysis covering code, security, and supply-chain concerns) as part of its release process.
  • It ships an input sanitizer that allowlists rendering markup, validates attributes, and escapes untrusted text before it reaches the PDF renderer.
  • It includes an SSRF guard for outbound requests (blocking private, loopback, and cloud-metadata addresses, disabling redirects, and capping response size).

Despite these measures, no software is perfectly secure — your reports help keep it that way.

There aren't any published security advisories