mirror of
https://github.com/bmad-code-org/BMAD-METHOD.git
synced 2026-01-30 04:32:02 +00:00
993d02b8b3
Expanded the security policy to include supported versions, reporting guidelines, response timelines, security scope, and best practices for users. Co-authored-by: Alex Verkhovsky <alexey.verkhovsky@gmail.com>
86 lines
3.1 KiB
Markdown
86 lines
3.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
We release security patches for the following versions:
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| Latest | :white_check_mark: |
|
|
| < Latest | :x: |
|
|
|
|
We recommend always using the latest version of BMad Method to ensure you have the most recent security updates.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
|
|
|
|
### How to Report
|
|
|
|
**Do NOT report security vulnerabilities through public GitHub issues.**
|
|
|
|
Instead, please report them via one of these methods:
|
|
|
|
1. **GitHub Security Advisories** (Preferred): Use [GitHub's private vulnerability reporting](https://github.com/bmad-code-org/BMAD-METHOD/security/advisories/new) to submit a confidential report.
|
|
|
|
2. **Discord**: Contact a maintainer directly via DM on our [Discord server](https://discord.gg/gk8jAdXWmj).
|
|
|
|
### What to Include
|
|
|
|
Please include as much of the following information as possible:
|
|
|
|
- Type of vulnerability (e.g., prompt injection, path traversal, etc.)
|
|
- Full paths of source file(s) related to the vulnerability
|
|
- Step-by-step instructions to reproduce the issue
|
|
- Proof-of-concept or exploit code (if available)
|
|
- Impact assessment of the vulnerability
|
|
|
|
### Response Timeline
|
|
|
|
- **Initial Response**: Within 48 hours of receiving your report
|
|
- **Status Update**: Within 7 days with our assessment
|
|
- **Resolution Target**: Critical issues within 30 days; other issues within 90 days
|
|
|
|
### What to Expect
|
|
|
|
1. We will acknowledge receipt of your report
|
|
2. We will investigate and validate the vulnerability
|
|
3. We will work on a fix and coordinate disclosure timing with you
|
|
4. We will credit you in the security advisory (unless you prefer to remain anonymous)
|
|
|
|
## Security Scope
|
|
|
|
### In Scope
|
|
|
|
- Vulnerabilities in BMad Method core framework code
|
|
- Security issues in agent definitions or workflows that could lead to unintended behavior
|
|
- Path traversal or file system access issues
|
|
- Prompt injection vulnerabilities that bypass intended agent behavior
|
|
- Supply chain vulnerabilities in dependencies
|
|
|
|
### Out of Scope
|
|
|
|
- Security issues in user-created custom agents or modules
|
|
- Vulnerabilities in third-party AI providers (Claude, GPT, etc.)
|
|
- Issues that require physical access to a user's machine
|
|
- Social engineering attacks
|
|
- Denial of service attacks that don't exploit a specific vulnerability
|
|
|
|
## Security Best Practices for Users
|
|
|
|
When using BMad Method:
|
|
|
|
1. **Review Agent Outputs**: Always review AI-generated code before executing it
|
|
2. **Limit File Access**: Configure your AI IDE to limit file system access where possible
|
|
3. **Keep Updated**: Regularly update to the latest version
|
|
4. **Validate Dependencies**: Review any dependencies added by generated code
|
|
5. **Environment Isolation**: Consider running AI-assisted development in isolated environments
|
|
|
|
## Acknowledgments
|
|
|
|
We appreciate the security research community's efforts in helping keep BMad Method secure. Contributors who report valid security issues will be acknowledged in our security advisories.
|
|
|
|
---
|
|
|
|
Thank you for helping keep BMad Method and our community safe.
|