We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability, please do not open a public issue. Instead, please report it privately to maintainers via email or through a private security advisory.
Please report:
- Security vulnerabilities that could affect users
- Issues that could lead to data exposure or unauthorized access
- Problems with dependency management that introduce security risks
Please do not report:
- Issues that require physical access to the system
- Issues that require social engineering
- Issues that require already compromised credentials
- Denial of service attacks (unless they expose a vulnerability)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity, but we aim for:
- Critical: As soon as possible (typically within 7 days)
- High: Within 30 days
- Medium/Low: Next planned release
We follow responsible disclosure:
- Reporter privately reports the vulnerability
- Maintainers confirm and assess the issue
- A fix is developed and tested
- A security advisory is published with the fix
- Credit is given to the reporter (if desired)
When using HookedLLM:
- Never commit API keys or secrets: Always use environment variables
- Keep dependencies updated: Regularly update HookedLLM and its dependencies
- Review hook code: Ensure custom hooks don't expose sensitive data
- Use scopes appropriately: Isolate hooks to prevent unintended data access
- Validate inputs: Don't trust data from hooks without validation
HookedLLM has minimal dependencies by design. The core package has zero dependencies. Optional dependencies are clearly documented and can be reviewed in pyproject.toml.
We regularly review and update dependencies for security patches.
Thank you for helping keep HookedLLM and its users safe!