| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability within OpenAgent Eval, please send an email to security@openagenthq.com. All security vulnerabilities will be promptly addressed.
Do NOT report security vulnerabilities through public GitHub issues.
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Fix Released: Within 30 days (for critical issues)
- We will acknowledge receipt of your report
- We will confirm the vulnerability and determine its impact
- We will develop a fix
- We will release the fix
- We will publicly disclose the vulnerability (after fix is released)
When a security update is released:
- Update to the latest version
- Review the changelog for security fixes
- Test your application
- Deploy the update
When a security issue is reported:
- Acknowledge the report
- Assess the severity
- Develop a fix
- Test the fix
- Release the update
- Update the changelog
- Notify users
- Keep dependencies up to date
- Use environment variables for API keys and secrets (never hardcode them)
- Validate all configuration inputs
- Use HTTPS when connecting to external LLM providers
- Enable security features provided by your OS and Python
- Follow secure coding practices
- Validate input at boundaries
- Use parameterized queries where applicable
- Sanitize output
- Handle errors securely
- Never commit secrets or API keys
- Use
.envfiles for local development secrets
For security-related questions or concerns, please contact:
- Email: security@openagenthq.com
We would like to thank the following researchers for responsibly disclosing vulnerabilities:
- (None yet)
Thank you for helping keep OpenAgent Eval and its users safe.