We take security seriously. Currently, the following versions are supported with security updates:

All agents in this repository follow 2025 Security-First Standards:

• ✅ Zero-Trust Architecture - Never trust, always verify
• ✅ Secure by Default - Secure configurations out of the box
• ✅ Defense in Depth - Multiple layers of security
• ✅ Least Privilege - Minimal access rights
• ✅ Input Validation - All inputs sanitized and validated
• ✅ Output Encoding - Prevent injection attacks
• ✅ Secure Dependencies - Regular dependency audits
• ✅ Secrets Management - No hardcoded credentials

All agents must implement:

security_features:
  - input_validation        # Validate all user inputs
  - output_sanitization     # Sanitize all outputs
  - secure_coding_practices # Follow OWASP guidelines
  - vulnerability_scanning  # Regular security scans
  - dependency_checking     # Monitor for vulnerable dependencies
  - secrets_management      # Secure credential handling
  - error_handling          # Secure error messages
  - logging_security        # Secure logging practices

We appreciate the security community's efforts in responsible disclosure. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should NOT be reported through public GitHub issues.

Email: [email protected]

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if available)
• Your contact information

1. Confirmation - We'll confirm receipt of your report
2. Assessment - We'll assess the severity and impact
3. Fix Development - We'll develop and test a fix
4. Release - We'll release the security update
5. Disclosure - We'll publicly disclose with credit (if desired)

We don't currently offer a bug bounty program, but we will:

• Publicly acknowledge your contribution (with permission)
• Add you to our security hall of fame
• Provide a detailed thank you in the security advisory

• Remote code execution
• Authentication bypass
• Privilege escalation
• SQL injection
• Command injection

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Insecure direct object references
• Security misconfiguration

• Information disclosure
• Missing security headers
• Insecure cryptography
• Session management issues

• Missing best practices
• Minor information leaks
• Low-impact misconfigurations

When contributing agents:

# Always validate inputs
capabilities:
  - Validates all user inputs before processing
  - Implements allowlist validation
  - Rejects malformed requests

# Follow secure coding practices
best_practices:
  - Never use eval() or exec() with user input
  - Sanitize all file paths
  - Use parameterized queries
  - Implement proper error handling

# Keep dependencies secure
dependencies:
  - Regularly update all dependencies
  - Use dependency scanning tools
  - Pin dependency versions
  - Audit third-party libraries

# Never hardcode secrets
security_features:
  - Use environment variables
  - Implement secrets rotation
  - Use secure key management
  - Never commit credentials

Before submitting a PR:

• No hardcoded credentials or API keys
• All inputs are validated
• Outputs are properly sanitized
• Error messages don't leak sensitive info
• Dependencies are up-to-date
• Security features are documented
• OWASP Top 10 considerations addressed
• Secure defaults are used

• OWASP Top 10
• OWASP Cheat Sheet Series
• OWASP API Security Top 10

• CWE Top 25
• NIST Cybersecurity Framework
• ISO 27001

• Snyk - Dependency scanning
• Bandit - Python security linter
• Safety - Python dependency checker
• npm audit - Node.js security auditing

We regularly:

• Audit dependencies for known vulnerabilities
• Update security features to match evolving threats
• Review agent configurations for security issues
• Publish security advisories for important updates

For security-related questions:

• Email: [email protected]
• PGP Key: Available upon request

For general questions:

• Email: [email protected]
• GitHub Discussions: Custom-Modes-Roo-Code Discussions

We thank all security researchers who responsibly disclose vulnerabilities. Your efforts help keep our users safe.

Last Updated: October 22, 2025

Security Policy Version: 1.0