Do not open public issues for security vulnerabilities.
Email security reports to: [email protected]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge your report within 48 hours and provide a detailed response within 7 days.
| Version | Supported |
|---|---|
| main | ✅ Active development |
| < 1.0 |
Wingman handles:
- API keys: Stored locally in
~/.wingman/config.json - Chat history: Stored locally in
~/.wingman/sessions/ - Network requests: Sent to Dedalus Labs API over HTTPS
- Don't share your
~/.wingman/directory - Rotate API keys periodically
- Don't paste sensitive data into chat sessions
We follow coordinated disclosure:
- Reporter submits vulnerability privately
- We acknowledge within 48 hours
- We investigate and develop fix
- We release fix and credit reporter (unless anonymity requested)
- Public disclosure after 90 days or when fix is deployed
- Security issues: [email protected]
- General questions: [email protected]