| Version | Supported |
|---|---|
| 0.x.x | ✅ |
We take security seriously. If you discover a security vulnerability in cmdk-engine, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email the maintainer directly at mailpriyanshugarg@gmail.com
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours of your report
- Status Update: Within 7 days with an assessment
- Resolution: Timeline depends on severity and complexity
| Level | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, credential exposure | 24-48 hours |
| High | Significant data exposure, auth bypass | 3-5 days |
| Medium | Limited data exposure, denial of service | 1-2 weeks |
| Low | Minor issues with limited impact | Next release |
- cmdk-engine's access control layer is a filter, not an authentication system. It hides commands from the UI but does not prevent direct URL navigation. Always enforce permissions server-side.
- The frecency storage uses
localStorageby default. Do not store sensitive data in command metadata. - The CLI tool's route scanner reads your source files. It does not execute them or make network requests.
- Never log or expose user credentials, tokens, or sensitive metadata
- Keep dependencies minimal and audit regularly
- Prefer pure functions over side effects in core modules
We appreciate responsible disclosure and will acknowledge security researchers who help improve cmdk-engine's security.