| Version | Supported |
|---|---|
| 0.0.x | ✅ |
If you discover a security vulnerability in Qwen Orchestrator, please report it responsibly:
- Do NOT open a public GitHub issue
- Email the maintainers at: security@yourdomain.com (replace with actual email)
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Within 48 hours: We will acknowledge receipt of your report
- Within 7 days: We will provide an initial assessment
- Within 30 days: We will provide a fix or timeline for resolution
- Never commit secrets, API keys, or credentials
- Use environment variables for sensitive data
- Run
npm auditbefore releases - Keep dependencies updated
- Keep your extension updated to the latest version
- Review agent permissions before installation
- Be cautious with custom MCP servers
- Report security issues responsibly
- No sensitive data stored in plain text
- Session data isolated per project
- MCP Memory server uses secure storage
- Session files stored locally (ensure proper file permissions)
- MCP server runs locally (ensure proper network isolation)
Regular security audits are performed on:
- MCP server code
- Agent implementations
- Session management
- File system access
At this time, we do not offer a bug bounty program. However, we greatly appreciate responsible disclosure and will credit contributors in the release notes.
- Omar-Obando - Primary maintainer
- Initial security policy published
- Defined reporting process
- Documented security practices