| Version | Supported |
|---|---|
| 1.x | Yes |
| < 1.0 | No |
If you discover a security vulnerability in vibecosystem, please report it responsibly.
Do NOT open a public issue for security vulnerabilities.
- Email: security@vibeeval.com (or DM @vibeeval on Twitter)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix: Depending on severity, within 7-30 days
- Disclosure: After the fix is released
The following are in scope:
- Hook code execution (TypeScript hooks in
hooks/src/) install.shscript security- Agent prompt injection vulnerabilities
- Credential/secret exposure in any files
The following are out of scope:
- Issues in Claude Code itself (report to Anthropic)
- Social engineering attacks
- Denial of service
- Never commit secrets, API keys, or credentials
- All hooks run in the user's shell context - be careful with
Bashtool calls - Agent prompts should not instruct bypassing security controls
- Review
install.shchanges carefully - it runs with user privileges
We appreciate security researchers who help keep vibecosystem safe. Responsible reporters will be credited here (with permission).