Security Policy

Supported Versions

We release patches for security vulnerabilities in the following versions:

Version	Supported
0.0.7	✅
< 0.0.7	❌

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information in your report:

Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
Full paths of source file(s) related to the manifestation of the issue
The location of the affected source code (tag/branch/commit or direct URL)
Any special configuration required to reproduce the issue
Step-by-step instructions to reproduce the issue
Proof-of-concept or exploit code (if possible)
Impact of the issue, including how an attacker might exploit it

This information will help us triage your report more quickly.

When using this SDK:

API Keys: Never commit API keys or credentials to version control
- Use environment variables (OPENAI_API_KEY, etc.)
- Add .env files to .gitignore
- Rotate keys regularly

Sandbox Policy: Always configure appropriate sandbox restrictions

.withSandboxPolicy({
  mode: 'workspace-write',
  network_access: false,
  writable_roots: ['/path/to/project']
})

Input Validation: Sanitize user input before sending to the API
- Validate file paths before applying patches
- Review generated diffs before applying
Dependency Security: Keep dependencies up to date
```
npm audit
npm update
```
Native Bindings: Only use official codex-rs releases
- Verify checksums when possible
- Use tagged releases, not main branch

When we receive a security bug report, we will:

If you have suggestions on how this process could be improved, please submit a pull request or email [email protected].