We take the security of protoMaker seriously. If you discover a security vulnerability, please report it responsibly by following the process below.

⚠️ DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please report security issues through one of these channels:

1. Discord (Preferred): Join our Discord server (invite link TBA) and send a direct message to @josh
2. Email: Send details to security@protolabs.studio

When reporting a vulnerability, please include:

• Description: A clear description of the vulnerability
• Impact: What the vulnerability allows an attacker to do
• Steps to Reproduce: Detailed steps to reproduce the vulnerability
• Proof of Concept: If possible, provide a PoC (code, screenshots, or videos)
• Environment: Version of protoMaker affected, operating system, etc.
• Suggested Fix: If you have ideas on how to fix it (optional)

We are committed to addressing security issues promptly:

• 24 hours: Initial triage and acknowledgment of your report
• 7 days: Patch development and testing for critical vulnerabilities
• 14 days: Patch development for moderate vulnerabilities
• Public disclosure: After a fix is released and users have had time to update

We will keep you informed throughout the process and credit you in the security advisory (unless you prefer to remain anonymous).

The following components are in scope for vulnerability reports:

• Server API: Express server, WebSocket connections, API endpoints
• Authentication: Session management, token handling
• Data Storage: Database interactions, file system operations
• Git Operations: Worktree management, repository interactions
• Electron App: IPC communication, native integrations

The following are generally out of scope:

• Third-party dependencies: Vulnerabilities in dependencies we don't control (but we appreciate heads-ups!)
• Social engineering attacks
• Denial of service attacks requiring excessive resources
• Issues requiring physical access to a user's machine
• Vulnerabilities in outdated versions (please test against the latest release)

When using protoMaker:

• Keep your installation up to date - Security patches are released regularly
• Use API keys securely - Never commit API keys to repositories
• Review generated code - Always review code generated by AI agents before deploying
• Limit repository access - Only grant protoMaker access to repositories you trust it to modify
• Use worktrees in production carefully - Understand the implications of automated git operations

We currently do not offer a bug bounty program. However, we deeply appreciate security researchers who help keep protoMaker secure, and we will publicly acknowledge your contribution in:

• Security advisories
• Release notes
• Our contributors list

Security updates are released as part of regular releases. Critical security fixes may be released in patch versions outside the normal release cycle.

To stay informed about security updates:

• Watch the GitHub repository for release notifications
• Join our Discord server (invite link TBA) for announcements
• Check the release notes regularly

For any security-related questions or concerns:

• Discord: Discord invite link TBA (DM @josh)
• Email: security@protolabs.studio

Thank you for helping keep protoMaker and its users safe!