We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue in ConsensusMind, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues via email to:
Email: security@dslabs.network
Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if available)
- Initial Response: Within 48 hours of report
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: Next release cycle
- Security issues will be fixed before public disclosure
- Reporter will be credited (unless anonymity is requested)
- Public disclosure will be coordinated with the reporter
- CVE will be requested for critical vulnerabilities
When using ConsensusMind:
- API Keys: Never commit API keys or secrets to the repository
- Configuration: Use environment variables for sensitive data
- Updates: Keep dependencies updated regularly
- LLM Endpoints: Only connect to trusted inference endpoints
- PDF Processing: Be cautious when processing untrusted PDFs
Security issues we accept:
- Remote code execution
- Authentication/authorization bypass
- Information disclosure
- Injection vulnerabilities (SQL, command, etc.)
- Cryptographic vulnerabilities
Out of scope:
- Denial of Service from rate limiting
- Issues requiring physical access
- Social engineering attacks
- Issues in third-party dependencies (report to them directly)
ConsensusMind implements:
- HTTPS for all external API calls
- Input validation and sanitization
- Rate limiting for external services
- Secure dependency management
- No execution of untrusted code
For security issues: security@dslabs.network
Thank you for helping keep ConsensusMind and our users safe.