| Version | Supported |
|---|---|
| 1.x.x | ✅ |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Email the maintainers directly with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to address the issue.
- Keep updated: Always use the latest version
- Validate configs: Use
multi-agent-cli config validatebefore running - Secure credentials: Never commit API tokens or secrets in config files
- Use environment variables: Store sensitive values in environment variables
- Review workflows: Audit workflow files before execution
- Input validation: All user inputs are validated
- No eval/exec: Never use
eval()orexec()on user input - Path validation: File paths are validated to prevent traversal attacks
- Safe YAML loading: Uses
yaml.safe_load()exclusively - Dependency scanning: Dependencies are regularly scanned with Dependabot
- CodeQL analysis on every push
- Dependency vulnerability scanning
- Input validation on all CLI commands
- Path containment checks
- No arbitrary code execution
We appreciate security researchers who help improve the security of this project.