Only the latest release of each extension receives security updates.

Do not open a public issue. Security vulnerabilities must be reported privately so we can fix them before they are exploited.

1. GitHub Private Vulnerability Reporting (preferred) — go to the Security tab and click Report a vulnerability.
2. Email — send a detailed report to contact@devglobe.xyz.

• A clear description of the vulnerability
• Steps to reproduce (or a proof of concept)
• The affected extension(s) and version(s)
• The potential impact

We will keep you informed of our progress throughout the process.

The following are in scope for security reports:

• Heartbeat data leaking information beyond what is documented in PRIVACY.md
• API key exposure or insecure storage
• Privacy flag bypass (hide_file_names, hide_branch_names, hide_project_names not honored)
• File paths leaking outside the git root, or absolute home paths reaching the wire
• Code injection via the VS Code webview sidebar
• Insecure network communication (TLS downgrade, unencrypted requests)
• Unauthorized access to another user's data via the heartbeat / dashboard API

• Supabase Row Level Security policy bypass (accessing or modifying another user's data)
• Supabase Edge Functions vulnerabilities
• GitHub App (devglobeapp) permission escalation or data leakage beyond documented scope

• Vulnerabilities on devglobe.xyz (XSS, CSRF, authentication bypass, data exposure)

• Rate limiting on the heartbeat endpoint (server-side throttling is already in place)
• The Supabase anonymous key being visible in source code (this is public by Supabase design — protection relies on RLS policies)
• Social engineering or phishing attacks
• Denial of service attacks
• Vulnerabilities in dependencies of the IDE platforms themselves (VS Code, JetBrains, Claude Code)
• Issues that require physical access to the user's machine

For a detailed description of what data is collected, how API keys are stored, and how network communication works, see the Privacy & Security section of the main README.

Key design decisions:

• HTTPS only — all network requests enforce TLS, no HTTP fallback
• Minimal data — only what is listed in PRIVACY.md is sent; source code, file contents, and keystrokes are never accessed
• Secure key storage — OS keychain on VS Code (SecretStorage) and JetBrains (PasswordSafe); ~/.devglobe/config.toml (mode 0600) on the other extensions
• Content Security Policy — VS Code webview uses a cryptographic nonce-based CSP
• No telemetry — no third-party analytics or tracking services

We follow coordinated disclosure. Once a fix is released, we will:

1. Credit the reporter (unless they prefer to stay anonymous)
2. Publish a summary in the release notes
3. If the vulnerability is significant, publish a GitHub Security Advisory