Parley is a young (pre-1.0) project. Security issues are taken seriously even at this stage — please report them privately rather than opening a public issue.
Preferred: GitHub Private Vulnerability Reporting. Use this repository's Security tab → Report a vulnerability to open a private advisory. This reaches the maintainer directly and keeps the report out of public issues/PRs until a fix is ready.
Please do not open a public GitHub issue for a suspected vulnerability.
When reporting, include:
- What component is affected (
@sharptrick/parley-core, a specific backend plugin, the remote/OAuth server, a skill, etc.). - Steps to reproduce, or a minimal repro config.
- What you'd expect to happen vs. what actually happens.
There's no fixed SLA (this is currently a personal, unfunded project), but reports will be acknowledged and triaged as soon as possible, and credited in the fix's changelog/release notes unless you ask not to be.
In scope — vulnerabilities in this repository's own code:
- The core seam, dedup/ordering engine, and topic allowlist (
@sharptrick/parley-core). - Any backend plugin's handling of its own credentials or connection (
@sharptrick/parley-sqlite,@sharptrick/parley-redis,@sharptrick/parley-matrix,@sharptrick/parley-xmpp,@sharptrick/parley-nats). - The remote/chat OAuth 2.1 + PKCE front door (token issuance, consent, audience binding, dynamic
client registration) — see
DESIGN.md§10/§14 andexamples/self-host-remote. - Anything that lets inbound backend content (which is meant to be treated as untrusted data, never as an instruction) escape that boundary and act with elevated trust — e.g. a path where message content could be misinterpreted as a tool call, a permission grant, or otherwise influence the bridge's own behavior rather than just being surfaced as context.
- Anything that defeats the topic allowlist (reading/writing/subscribing outside
config.topics). - Anything that weakens
skip_permissions's default-off posture or makes it easier to enable unintentionally.
Out of scope — please report these upstream instead:
- Vulnerabilities in the backend servers themselves (Redis, NATS, Synapse/Matrix, Prosody/ejabberd XMPP) — report to those projects.
- Vulnerabilities in third-party dependencies with no Parley-specific exploitation path — report
upstream (or via
npm audit/a Dependabot alert here, which is fine as a normal issue/PR, not a private report). - Social-engineering or physical-access scenarios that don't involve a defect in this code.
Pre-1.0: only the latest code on main is supported. There are no maintained release branches
yet.