We take security vulnerabilities seriously. If you discover a security issue in obs-code, please report it responsibly:

• Email: Create an issue on GitHub Security Advisories
• Response time: We aim to acknowledge reports within 48 hours and provide a fix within 7 days

Please do not publicly disclose the vulnerability until a fix has been released.

When using obs-code as an MCP server:

1. Never expose the HTTP server to public networks - it binds to 127.0.0.1 by default
2. API keys are stored in ~/.obs-code/config.json - ensure this file has appropriate permissions (chmod 600)
3. Project paths passed to MCP tools are validated against directory traversal attacks
4. No secrets should be committed to the repository - use .env files (gitignored) for sensitive configuration