Currently supporting security updates for:
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| < 2.0 | ❌ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should not be reported via GitHub issues as they are publicly visible.
Send details to the project maintainers through one of these channels:
- GitHub Security Advisory (preferred)
- Direct message to maintainers
Your report should include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days for critical issues
The hook scripts run with user permissions and execute shell commands. Be aware:
-
Command Injection: Hooks process user input and file paths
- Sanitize all inputs
- Use proper quoting
- Avoid eval statements
-
File System Access: Hooks read and check files
- Validate all file paths
- Prevent directory traversal
- Check permissions
-
Git Commands: Hooks execute git commands
- Validate git repository state
- Handle untrusted input carefully
When using or modifying Vibespec:
- Review Hook Scripts: Understand what the scripts do
- Limit Permissions: Run with minimal required permissions
- Validate Input: Never trust user input
- Update Regularly: Keep Vibespec updated
- Hooks require bash (security implications on Windows)
- No sandboxing of hook execution
- Relies on Claude Code's security model
We support responsible disclosure:
- Report vulnerabilities privately first
- Allow reasonable time for fixes
- Coordinate on disclosure timing
- Credit researchers appropriately
Security updates will be:
- Released as patch versions
- Announced in release notes
- Documented in CHANGELOG.md
Thank you for helping keep Vibespec secure!