If you discover a security vulnerability in VibeFrame, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, email: security@vibeframe.dev

You should receive an acknowledgment within 48 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.

Only the latest minor release is supported with security fixes. Check the current version in package.json.

VibeFrame uses multiple AI provider API keys. Follow these practices:

• Store API keys in .env files (already in .gitignore)
• Use environment variables for CI/CD pipelines
• Rotate keys periodically
• Use provider-specific key scoping where available

• Commit .env files to version control
• Share API keys in issues, PRs, or discussions
• Hardcode keys in source code
• Use production keys in development

Each command only requires the key for its specific provider. See MODELS.md for which keys each command needs.

# Copy the example and fill in only the keys you need
cp .env.example .env

We regularly audit dependencies for known vulnerabilities:

pnpm audit

VibeFrame shells out to FFmpeg for video processing. All file paths are validated and properly escaped to prevent command injection. If you find a path handling issue, please report it via the process above.