We actively maintain and provide security updates for the following versions:

The Qodo Command Agent Reference Implementations team takes security seriously. We appreciate your efforts to responsibly disclose your findings.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing: [email protected]

Include the following information in your report:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

After submitting a report, you can expect:

1. Acknowledgment: We'll acknowledge receipt of your vulnerability report within 48 hours
2. Initial Assessment: We'll provide an initial assessment within 5 business days
3. Regular Updates: We'll keep you informed of our progress throughout the investigation
4. Resolution Timeline: We aim to resolve critical vulnerabilities within 30 days

• We'll work with you to understand and resolve the issue quickly
• We'll keep you informed throughout the process
• We'll publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)
• We'll coordinate the timing of public disclosure

When developing or deploying agents from this repository, please consider:

• Sanitize all user inputs before processing
• Validate file paths to prevent directory traversal attacks
• Limit input size to prevent resource exhaustion
• Use allowlists for acceptable input patterns when possible

• Sandbox code execution when running user-provided code
• Limit system access for agent processes
• Validate commands before execution
• Use secure defaults for all configurations

• Never log sensitive information (API keys, passwords, personal data)
• Encrypt sensitive data at rest and in transit
• Implement proper access controls for configuration files
• Use secure communication channels for API calls

• Keep dependencies updated to latest secure versions
• Regularly audit dependencies for known vulnerabilities
• Use dependency scanning tools in CI/CD pipelines
• Pin dependency versions for reproducible builds

• Implement proper authentication for agent access
• Use principle of least privilege for system permissions
• Rotate API keys and tokens regularly
• Implement session management securely

# ❌ Dangerous - Direct execution of user input
exec(user_input)

# ✅ Safe - Use ast.literal_eval for safe evaluation
import ast
try:
    result = ast.literal_eval(user_input)
except (ValueError, SyntaxError):
    # Handle invalid input
    pass

// ❌ Dangerous - Direct execution
eval(userInput);

// ✅ Safe - Use JSON.parse for data
try {
    const data = JSON.parse(userInput);
} catch (error) {
    // Handle invalid JSON
}

// ❌ Dangerous - Command injection
cmd := exec.Command("sh", "-c", userInput)

// ✅ Safe - Validate and sanitize input
if isValidCommand(userInput) {
    cmd := exec.Command("program", sanitizedArgs...)
}

• Use virtual environments or containers
• Don't commit secrets to version control
• Use environment variables for configuration
• Enable security linting tools

• Run agents with minimal privileges
• Use container security best practices
• Implement monitoring and alerting
• Regular security updates and patches

# config.yaml
security:
  max_input_size: 1048576  # 1MB limit
  allowed_file_extensions: [".py", ".js", ".md"]
  sandbox_enabled: true
  log_level: "INFO"  # Don't use DEBUG in production
  
network:
  timeout: 30
  max_connections: 10
  allowed_hosts: ["api.example.com"]

# Use for sensitive configuration
export QODO_API_KEY="your-api-key"
export QODO_LOG_LEVEL="INFO"
export QODO_SANDBOX_ENABLED="true"

If you discover a security vulnerability in an agent implementation:

1. Stop using the affected component immediately
2. Check for updates in the repository
3. Report the issue following our reporting guidelines
4. Monitor for patches and apply them promptly

When contributing code:

1. Follow secure coding practices
2. Run security linting tools
3. Include security tests where applicable
4. Document security considerations in your PR

• Python: bandit, safety
• Node.js: npm audit, eslint-plugin-security
• Go: gosec, govulncheck

• GitHub Dependabot
• Snyk
• OWASP Dependency Check

• Docker Bench Security
• Trivy
• Clair

• OWASP Top 10
• CWE/SANS Top 25
• NIST Cybersecurity Framework

Security updates will be:

• Prioritized over feature development
• Clearly marked in release notes
• Communicated through security advisories
• Backported to supported versions when possible

For security-related questions or concerns:

• Email: [email protected]
• PGP Key: [Available on request]

We thank the security research community for helping keep our projects secure. Contributors who responsibly disclose vulnerabilities will be acknowledged in our security advisories (unless they prefer to remain anonymous).

Remember: Security is everyone's responsibility. When in doubt, err on the side of caution and reach out to our security team.