| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in whiterose, please report it responsibly.
- Do NOT create a public GitHub issue for security vulnerabilities
- Email the maintainer directly at: [create a private security advisory on GitHub]
- Or use GitHub's private vulnerability reporting: https://github.com/shakecodeslikecray/whiterose/security/advisories/new
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix timeline: Depends on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2 weeks
- Low: Next release
Security issues we're interested in:
- Command injection via LLM prompts
- Path traversal in file operations
- Credential exposure
- Arbitrary code execution
- Privilege escalation
Out of scope:
- Issues in the underlying LLM providers (claude-code, codex, etc.)
- Social engineering attacks
- Issues requiring physical access