| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues via GitHub's private vulnerability reporting:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days (depending on severity)
- Acknowledgment: We'll confirm receipt of your report
- Investigation: We'll investigate and validate the issue
- Resolution: We'll develop and test a fix
- Disclosure: We'll coordinate disclosure timing with you
- Credit: We'll credit you in the release notes (unless you prefer anonymity)
- Always enable encryption (
ENGRAM_CLOUD_ENCRYPT=true) for cloud sync - Use dedicated API keys with minimal permissions
- Rotate credentials regularly
- Protect your local database file with appropriate file permissions
- Back up your database regularly
- Store API keys in environment variables or
.env.local - Never commit credentials to version control
Security updates will be released as patch versions and announced via GitHub Security Advisories.
Thank you for helping keep Engram secure!