AgentVibes is open source software provided "AS IS" without warranty of any kind. By using this software, you acknowledge and agree that:
- You use AgentVibes at your own risk
- The authors and contributors are not liable for any damages or security issues
- You are responsible for reviewing the code and assessing its security for your use case
- This software is licensed under the Apache License 2.0 (see LICENSE file)
While we make every effort to address security vulnerabilities promptly, we cannot guarantee the security of this software for all use cases.
We actively support the following versions of AgentVibes with security updates:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
| < 1.0 | ❌ |
We recommend always using the latest version to ensure you have the most recent security patches and features.
AgentVibes uses automated security scanning to identify and address vulnerabilities:
- SonarCloud: Continuous code quality and security analysis
- GitHub CodeQL: Advanced semantic code analysis for security vulnerabilities
All security hotspots and alerts are addressed before each release.
We take security seriously and appreciate your help in keeping AgentVibes safe for everyone.
If you discover a security vulnerability, please report it by:
- Email: Send details to [email protected]
- GitHub Security Advisory: Use GitHub's private vulnerability reporting
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Your contact information for follow-up
- Initial Response: Within 48 hours of receiving your report
- Status Updates: Every 7 days until the issue is resolved
- Resolution: We aim to release a patch within 30 days for critical vulnerabilities
If the vulnerability is accepted:
- We will work on a fix and keep you informed of progress
- You will be credited in the release notes (unless you prefer to remain anonymous)
- We will coordinate disclosure timing with you
- A CVE will be requested if applicable
If the vulnerability is declined:
- We will explain why we don't consider it a security issue
- We may still address it as a bug or feature request
- You will receive a detailed explanation of our decision
When using AgentVibes:
- Keep Updated: Always use the latest version
- Review Permissions: Understand what file access AgentVibes requires
- Environment Variables: Never commit API keys or credentials to version control
- Audit Dependencies: We regularly update dependencies to patch known vulnerabilities
- Report Issues: If you see something suspicious, report it
- We follow responsible disclosure practices
- Security fixes are prioritized over feature development
- We will publicly disclose vulnerabilities only after a patch is available
- Critical vulnerabilities may result in an emergency release
For security concerns, contact:
- Email: [email protected]
- Website: https://agentvibes.org
Thank you for helping keep AgentVibes secure!