This project is a reference implementation. Security fixes are applied to the
latest version on main only.
Do not open a public GitHub issue for security vulnerabilities.
Please report security issues by emailing security@warp.dev with:
- A description of the vulnerability and its potential impact
- Steps to reproduce or proof-of-concept code
- Any suggested remediation
You should receive an acknowledgement within 48 hours. We aim to release a fix within 14 days for critical issues and 90 days for lower-severity issues.
We will credit reporters in the fix commit unless you prefer to remain anonymous.
In scope:
- Credential exposure or leakage in source code or generated files
- Dependency vulnerabilities in
requirements.txt - Injection vulnerabilities (SQL, command, template) in any script
- SSRF or unvalidated external URL usage in agent scripts
Out of scope:
- Issues in external services this tool integrates with (Google, Slack, Notion, Grain)
- Social engineering attacks
- Denial of service against local scripts
- Never commit
.env,token.json, orcredentials.json— all are gitignored - Rotate credentials immediately if you suspect they have been exposed
- Run
pip-audit -r requirements.txtperiodically to check for new CVEs - The
generate_readonly_token.pyoutput contains live credentials — treat it with the same care as a password