| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
Please DO NOT open public issues for security vulnerabilities.
Instead:
- Email: chicholikar.d@northeastern.edu
- Subject:
[SECURITY] CodeIntel Vulnerability Report - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Fix Timeline: Depends on severity
- Critical: 1-3 days
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Best effort
CodeIntel implements:
- ✅ Rate limiting (tier-based quotas)
- ✅ API key authentication with SHA-256 hashing
- ✅ Input validation (SQL injection, path traversal prevention)
- ✅ Cost controls (max repo size, max repos per user)
- ✅ Request size limits (10MB max)
- ✅ Row-level security (user data isolation)
- API keys are stored hashed but transmitted in headers
- Use HTTPS in production (not HTTP)
- Dev mode (
DEBUG=true) disables some security checks - Row-level security requires Supabase configuration
For Deployment:
- Always use HTTPS
- Set
DEBUG=falsein production - Rotate API keys regularly
- Use environment variables for secrets
- Enable Supabase RLS policies
For Development:
- Never commit
.envfiles - Use strong API keys (not
dev-secret-key) - Keep dependencies updated
- Review security scanning results in CI/CD
We appreciate responsible disclosure. Security researchers who report valid vulnerabilities will be credited (with permission) in our release notes.