If you discover a security vulnerability in gptme, please report it responsibly.
- Do NOT open a public issue for security vulnerabilities
- Email the maintainers directly at: [email protected] (or contact via GitHub private disclosure)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment within 48 hours
- Regular updates on progress
- Credit for responsible disclosure (if desired)
This policy applies to:
- The gptme CLI tool
- gptme-server
- gptme-webui
- Official gptme packages and plugins
gptme is designed to execute code on behalf of the user. Key security considerations:
- Privilege Level: gptme runs with user permissions - it can do anything you can do
- Interactive Mode: Commands require user confirmation before execution
- Non-Interactive Mode: Use only in trusted, isolated environments
- Tool Execution: All tool outputs are logged for audit purposes
See the security documentation for detailed security guidance.
| Version | Supported |
|---|---|
| latest | ✅ |
| < 1.0 | ❌ |
We recommend always using the latest version for security updates.