Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in OpenDiff, please report it responsibly. Do not open a public GitHub issue.

Email juliuswallblom@gmail.com with:

Description of the vulnerability
Steps to reproduce
Affected versions or components
Potential impact

You should receive a response within 48 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.

Scope

This policy covers the OpenDiff repository and its packages:

apps/bff - API server
apps/app - Console dashboard
apps/site - Marketing site
apps/review-agent - AI code review agent
packages/shared - Shared libraries
packages/components - UI components

Out of Scope

Issues in third-party dependencies (report these upstream)
Social engineering attacks
Denial of service attacks

There aren't any published security advisories