| Version | Supported |
|---|---|
| 0.0.x (latest) | ✅ |
| < 0.0.1 | ❌ |
As Dnuzi AI is pre-1.0, security fixes are applied to the latest release only.
Please do not open a public GitHub Issue for security vulnerabilities.
If you discover a security issue, please report it privately:
- Go to the Security tab on GitHub and open a private advisory, or
- Email the maintainer directly (see the author field in
package.json).
Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional but appreciated)
You can expect an acknowledgement within 48 hours and a status update within 7 days.
We follow a coordinated disclosure model:
- Reporter submits the vulnerability privately.
- Maintainer confirms, assesses severity, and begins a fix.
- A patched release is published.
- A public advisory is opened after the patch is available.
We ask that you give us a reasonable timeframe (typically 14 days) to address the issue before any public disclosure.
- MongoDB URI — The default connection string in
src/storage.jsuse a shared cloud database intended for demo/development use. Do not store sensitive or production data through the default URI. For production use, supply your own MongoDB instance. - API endpoint — All AI requests are sent to
https://ai.dnuz.top/api/aiover HTTPS. No API keys are required or transmitted by the client at this time. - No authentication layer — The CLI and SDK do not authenticate the end user. Access controls are the responsibility of the deploying application.
The following are not considered security vulnerabilities for this project:
- Rate limiting or abuse of the public
ai.dnuz.topAPI endpoint - Issues in third-party dependencies (please report those upstream)
- Theoretical attacks with no practical exploit path
Thank you for helping keep Dnuzi AI safe! 🔒