We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 2.x | ✅ |
| 1.x | ✅ |
| < 1.0 | ❌ |
Please DO NOT create public GitHub issues for security vulnerabilities.
Email security reports to: helge.sverre@gmail.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Fix timeline: Depends on severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release
- We will coordinate disclosure with you
- We prefer coordinated disclosure after fix is released
- You will be credited in release notes (if desired)
When using Mindwave:
- API Keys: Never commit API keys to version control
- PII Protection: Enable
capture_messages: falsein production - Rate Limiting: Implement rate limiting for public-facing LLM endpoints
- Input Validation: Sanitize user input before sending to LLMs
- Cost Controls: Set budget limits in config
- LLM Prompt Injection: User input should be validated
- Token Costs: Implement rate limiting to prevent abuse
- API Key Exposure: Use environment variables, never hardcode
- Tracing PII: Disable message capture in production
Subscribe to releases to be notified of security updates: https://github.com/helgesverre/mindwave/releases