| Version | Supported |
|---|---|
| 0.1.x | ✅ Yes |
Older versions are not actively maintained. Please upgrade to the latest release.
Do not open a public GitHub issue for security vulnerabilities.
Please report security issues privately via one of the following:
- GitHub Private Vulnerability Reporting (preferred): Security Advisories
- Email: technology@endevsols.com
- A clear description of the vulnerability
- Steps to reproduce or a proof-of-concept
- Affected version(s)
- Potential impact assessment
| Stage | Timeframe |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix or mitigation | Within 30 days (critical issues prioritized) |
| Public disclosure | After fix is released |
We follow coordinated disclosure. You will be credited in the release notes unless you prefer to remain anonymous.
Issues in scope:
- Arbitrary code execution via crafted inputs to
CitationVerifierorLongTracer - Path traversal or unsafe file writes in trace export functions
- Credential or secret leakage through logs or trace output
- Dependency vulnerabilities with direct exploitability
Out of scope:
- Vulnerabilities in optional third-party backends (MongoDB, Redis, PostgreSQL) — report those upstream
- Issues requiring physical access to the machine
- Social engineering
- Secrets: Never pass API keys or credentials as part of
responseorsourcesstrings — they may appear in trace output - Trace storage: Restrict access to
~/.longtracer/traces.dband any configured database backends - HTML reports:
export_trace_html()output contains raw LLM response text — treat it as untrusted content before serving in a browser - Dependencies: Pin dependency versions in production and audit with
pip auditorsafety
LongTracer uses a minimal core dependency set. To audit your installation:
pip install pip-audit
pip-audit