Skip to main content
Security fixes are provided for the latest published release of cc-safety-net. If you are running an older version, upgrade before reporting an issue unless the vulnerability also affects the latest release. This page summarizes the policy; the canonical version is SECURITY.md in the source repository.

Reporting a vulnerability

Do not report security vulnerabilities in public GitHub issues. Use GitHub private vulnerability reporting for the repository when available. If that is unavailable, email the maintainer at jliew@420024lab.com. Include as much detail as you can safely share:
  • The affected cc-safety-net version
  • Your operating system and runtime version
  • The affected integration (Claude Code, Codex, Copilot CLI, Gemini CLI, Kimi Code, OpenCode, or Pi)
  • Steps to reproduce, and the command or input that bypasses, weakens, or abuses CC Safety Net
  • Any relevant output from cc-safety-net explain or cc-safety-net doctor
  • The concrete impact: data loss, command execution, secret exposure, or something else
Redact tokens, credentials, private repository names, and sensitive file paths before sending logs or command output.

What counts as a security issue

  • A bypass that lets a clearly destructive command execute when CC Safety Net should block it
  • A parsing or wrapper-analysis flaw that makes documented protections ineffective
  • Leakage of secrets through block messages, audit logs, diagnostics, or debug output
  • A path traversal or filesystem issue in audit logging or configuration handling
  • A supply-chain or packaging issue affecting the published npm package or plugin distribution

What belongs in public issues instead

Use normal GitHub issues for false positives (safe commands blocked), missing convenience rules or feature requests, documentation bugs, and installation problems without a security impact.

Response and disclosure

You should receive an initial response within 7 days. The maintainer will work with you to confirm the impact, identify affected versions, prepare a fix, and coordinate disclosure. When a vulnerability is confirmed, a fix is published as soon as practical, optionally with a GitHub security advisory and credit unless you request otherwise. Please do not publicly disclose exploit details until a fixed version is available.