Please do not report security vulnerabilities via public GitHub Issues.

Instead, use GitHub Private Security Advisories.

You can expect:

• Acknowledgement within 48 hours
• Status update within 7 days
• Credit in the release notes if you'd like

The following are in scope:

• Remote code execution via the indexer or chat engine
• Secrets leaking from .env files into the graph or vector store
• Authentication bypass in the FastAPI layer
• Prompt injection leading to exfiltration of indexed code

• Issues in Docker images or third-party services (Neo4j, Qdrant, Ollama)
• Denial of service via large repositories (use MAX_FILE_BYTES config)