Security patches go into main and the latest release. If you're running something older, upgrade.

Found a security issue? Don't open a public GitHub issue - email max.azatian@gmail.com instead.

Include what you can: vulnerability type, where it occurs, reproduction steps, PoC if you have one. You'll get an acknowledgment within 48 hours. If confirmed, we'll patch it and credit you in the disclosure (unless you prefer to stay anonymous).

The CI pipeline runs Bandit on the Python backend for static analysis, and Dependabot keeps dependencies patched across Python, npm, and Docker. For SBOM generation and vulnerability scanning, see Supply Chain Security.

Executor pods run user code with non-root users, read-only filesystems, dropped capabilities, and no service account tokens. Network policies deny all traffic by default. Details in Network Isolation.

Secrets stay out of the repo - .env files and credentials are your responsibility to manage in deployment.