| Version | Supported |
|---|---|
| 2.4.x | ✅ Active |
| 2.3.x | ✅ |
| 2.0.x – 2.2.x | |
| < 2.0 | ❌ |
If you discover a security vulnerability, please report it responsibly:
- Create a GitHub Issue with the
securitylabel - For critical vulnerabilities, use GitHub Security Advisories instead
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Assessment: Within 1 week
- Fix & Release: Within 2 weeks for critical issues
ContribAI handles sensitive data:
- GitHub Tokens – Stored in
config.yaml(gitignored) - LLM API Keys – Stored in
config.yaml(gitignored) - LLM Outputs – Treated as untrusted data, sanitized before use
- Repository Code – Fetched via API, processed in memory
- PR Outcomes – Stored locally in SQLite database
- Config files with secrets are in
.gitignore - Only
yaml.safe_load()is used (no unsafe deserialization) - LLM output is parsed with try/except, never
eval()'d - GitHub tokens use minimal required scopes
- Rate limiting prevents API abuse
- DCO signoff on all commits via GitHub API
- Middleware chain validates and gates every pipeline action
- Middleware chain — RateLimit and Validation middlewares run before any processing
- Quality gate — QualityGateMiddleware blocks low-scoring contributions
- Retry with backoff — RetryMiddleware prevents retry-based abuse
- Outcome memory — Learns from rejected PRs to avoid repeating mistakes
- Tool protocol — All external interactions go through typed Tool interface