We take security seriously. If you discover a security vulnerability in rememb, please report it responsibly.
-
Email your report to: luizedupp@gmail.com
- Do NOT open a public GitHub issue for security vulnerabilities
- Include "SECURITY:" in the subject line
-
What to include:
- Vulnerability description (what is broken?)
- Steps to reproduce (how to trigger it?)
- Affected versions (which rememb versions are vulnerable?)
- Suggested fix (if you have one)
- Your contact info (for follow-up and credit)
-
What we commit to:
- Acknowledge receipt within 24 hours
- Provide a fix timeline within 48 hours
- Keep you updated on progress
- Credit you in the security advisory (unless you prefer anonymity)
- Release a patched version within 7 days for critical issues
| Level | Description | Example |
|---|---|---|
| Critical | Remote code execution, data breach, auth bypass | Memory injection, arbitrary file write |
| High | Privilege escalation, DoS, authentication flaw | Unauthenticated write to another user's store path |
| Medium | Information leak, input validation bypass | Exposed paths in error messages |
| Low | Hardening improvements, minor config issues | Weak default settings |
-
File Permissions
- rememb stores sensitive memories in
~/.rememb/by default - Ensure your home directory has restrictive permissions:
chmod 700 ~/.rememb
- rememb stores sensitive memories in
-
Sensitive Data
- Inspect entries before storing highly sensitive information
- rememb does NOT encrypt data at rest (local file system only)
- Write duplicate guard blocks exact same content in the same section only; near-duplicates are not blocked automatically
-
Updates
- Keep rememb updated:
pip install --upgrade rememb - Subscribe to releases for security patches
- Keep rememb updated:
-
Dependency Audit
- Core runtime deps:
typer,rich,fastapi,uvicorn,mcp,pypdf - We monitor for vulnerability alerts via GitHub Dependabot
- Core runtime deps:
Once a vulnerability is reported:
| Timeline | Action |
|---|---|
| Day 0 | Acknowledge receipt, assign severity |
| Day 1-2 | Develop and test fix |
| Day 3-7 | Release patched version (critical issues: Day 1-2) |
| Day 7+ | Publish security advisory with credit |
- v0.4.x (current) — Active (security patches + features)
- v0.3.x — Limited Support (security patches only)
- v0.2.x and older — Unsupported (end-of-life)
rememb is a local-first tool with no required network dependencies at runtime. There are no:
- remote APIs to attack
- cloud storage to compromise
- authentication servers to bypass
Storage is local JSON or SQLite under ~/.rememb/ (or a manually initialized path), protected by file system permissions.
Last Updated: June 25, 2026
Contact: luizedupp@gmail.com