# Security Policy ## Supported Versions We release security patches for the following versions: | Version | Supported | | ------- | ------------------ | | Latest | :white_check_mark: | | < Latest | :x: | We recommend always using the latest version of BMad Method to ensure you have the most recent security updates. ## Reporting a Vulnerability We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly. ### How to Report **Do NOT report security vulnerabilities through public GitHub issues.** Instead, please report them via one of these methods: 1. **GitHub Security Advisories** (Preferred): Use [GitHub's private vulnerability reporting](https://github.com/bmad-code-org/BMAD-METHOD/security/advisories/new) to submit a confidential report. 2. **Discord**: Contact a maintainer directly via DM on our [Discord server](https://discord.gg/gk8jAdXWmj). ### What to Include Please include as much of the following information as possible: - Type of vulnerability (e.g., prompt injection, path traversal, etc.) - Full paths of source file(s) related to the vulnerability - Step-by-step instructions to reproduce the issue - Proof-of-concept or exploit code (if available) - Impact assessment of the vulnerability ### Response Timeline - **Initial Response**: Within 48 hours of receiving your report - **Status Update**: Within 7 days with our assessment - **Resolution Target**: Critical issues within 30 days; other issues within 90 days ### What to Expect 1. We will acknowledge receipt of your report 2. We will investigate and validate the vulnerability 3. We will work on a fix and coordinate disclosure timing with you 4. We will credit you in the security advisory (unless you prefer to remain anonymous) ## Security Scope ### In Scope - Vulnerabilities in BMad Method core framework code - Security issues in agent definitions or workflows that could lead to unintended behavior - Path traversal or file system access issues - Prompt injection vulnerabilities that bypass intended agent behavior - Supply chain vulnerabilities in dependencies ### Out of Scope - Security issues in user-created custom agents or modules - Vulnerabilities in third-party AI providers (Claude, GPT, etc.) - Issues that require physical access to a user's machine - Social engineering attacks - Denial of service attacks that don't exploit a specific vulnerability ## Security Best Practices for Users When using BMad Method: 1. **Review Agent Outputs**: Always review AI-generated code before executing it 2. **Limit File Access**: Configure your AI IDE to limit file system access where possible 3. **Keep Updated**: Regularly update to the latest version 4. **Validate Dependencies**: Review any dependencies added by generated code 5. **Environment Isolation**: Consider running AI-assisted development in isolated environments ## Acknowledgments We appreciate the security research community's efforts in helping keep BMad Method secure. Contributors who report valid security issues will be acknowledged in our security advisories. --- Thank you for helping keep BMad Method and our community safe.