Security is a top priority for CommitWeave. We take all security concerns seriously and appreciate the community's help in identifying and resolving potential vulnerabilities.
DO NOT create public GitHub issues for security vulnerabilities. Instead:
Primary: Email security@glincker.com
Backup: Email support@glincker.com with "SECURITY" in the subject
Please provide as much information as possible:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions of CommitWeave
- Environment details (OS, Node.js version, etc.)
- Potential impact assessment
- Suggested fix (if you have one)
- Your contact information for follow-up
We are committed to:
- Acknowledging your report within 24 hours
- Providing regular updates on our progress
- Keeping your report confidential until a fix is released
- Crediting you appropriately (if you wish) in our security advisories
Security updates are provided for the following versions:
| Version | Supported | End of Life |
|---|---|---|
| 0.1.x | β Full support | TBD |
| < 0.1 | β No support | Immediate |
VS Code Extension:
| Version | Supported | End of Life |
|---|---|---|
| Latest | β Full support | - |
| Previous | 6 months |
CommitWeave handles sensitive information including:
- AI provider API keys (OpenAI, Anthropic)
- Git repository access
- Configuration files
We Never:
- Log or store API keys
- Transmit keys to unauthorized endpoints
- Include keys in error messages or debug output
- Commit keys to repositories
Users Should:
- Store API keys in secure environment variables
- Use key rotation best practices
- Review configuration files before sharing
- Report any key exposure immediately
CommitWeave makes network requests to:
- AI provider APIs (OpenAI, Anthropic)
- Git remote repositories
- npm registry (for updates)
Security Measures:
- All API calls use HTTPS
- Certificate pinning where applicable
- Request validation and sanitization
- Timeout and retry limits
File System Access:
- Read access to git repository and configuration
- Write access only to generated commit messages
- No modification of source code or sensitive files
Process Security:
- No arbitrary command execution
- Sandboxed execution environment
- Input validation and sanitization
Extension Permissions:
- File system access (repository directory)
- Terminal access (for CLI integration)
- Configuration storage
- Webview content security policy (CSP)
Security Controls:
- CSP headers prevent XSS in webviews
- No remote code execution
- Limited VS Code API surface
- Secure inter-process communication
- < 24 hours: Initial response confirming receipt
- < 48 hours: Initial assessment and severity classification
- Critical: Fix within 1-3 days
- High: Fix within 1 week
- Medium: Fix within 2 weeks
- Low: Fix in next regular release
- Coordinated disclosure with reporter
- Public advisory after fix is released
- CVE assignment for qualifying vulnerabilities
We recognize security researchers who help improve CommitWeave:
No reports yet - be the first to help us improve security!
- Critical/High: Immediate notification via GitHub Security Advisories
- Medium/Low: Included in regular release notes
- All: Email notifications to security@glincker.com subscribers
- Patch releases (0.1.1, 0.1.2) for security fixes
- Automated updates encouraged for security patches
- Backwards compatibility maintained when possible
- Keep Updated: Use the latest version of CommitWeave
- Secure API Keys: Use environment variables, never commit keys
- Review Configurations: Check settings before sharing
- Network Security: Use secure networks for API calls
- Report Issues: Notify us of any suspicious behavior
- Secure Development: Follow secure coding practices
- Dependency Management: Regular security audits of dependencies
- Code Review: Security-focused PR reviews
- Testing: Include security test cases
- Documentation: Clear security guidance in docs
- npm audit: Dependency vulnerability scanning
- GitHub Security Advisories: Automated vulnerability detection
- Code Analysis: Static analysis for common vulnerabilities
- Supply Chain: Package integrity verification
- Code audits for sensitive functionality
- Penetration testing for the VS Code extension
- Configuration reviews for secure defaults
- Documentation reviews for security guidance
- Email: security@glincker.com
- Response Time: < 24 hours
- GPG Key: Available upon request
- Email: support@glincker.com
- GitHub Issues: For non-security bugs only
- Documentation: GitHub Repository
We follow responsible disclosure practices:
- 90-day disclosure timeline (negotiable for complex issues)
- Coordination with reporters throughout the process
- Public recognition for responsible reporters
- No legal action against good-faith security researchers
CommitWeave is designed to comply with:
- OWASP Top 10 security guidelines
- Common security standards for developer tools
- Privacy regulations regarding data handling
- Open source security best practices
π Security is everyone's responsibility. Thank you for helping keep CommitWeave secure! π§Άβ¨
Maintained by GLINR STUDIOS
Security Contact: security@glincker.com