| Version | Supported |
|---|---|
| 1.1.x | ✅ |
| < 1.1 | ❌ |
If you discover a security vulnerability in imugi, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: security@imugi.dev (or open a private security advisory via GitHub)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix release: As soon as possible, depending on severity
The following are in scope:
- Code execution vulnerabilities in the CLI or MCP server
- Authentication/token handling issues
- Dependency vulnerabilities with known exploits
- Path traversal or file system access issues
- Vulnerabilities in third-party dependencies without a known exploit
- Issues requiring physical access to the machine
- Social engineering attacks
- Never commit your
ANTHROPIC_API_KEYorFIGMA_TOKENto version control - Use environment variables or
imugi.config.json(which should be in.gitignore) - Keep imugi updated to the latest version
Thank you for helping keep imugi secure.