Report security vulnerabilities through GitHub Security Advisories. Do not report vulnerabilities through public issues.
You should receive a response within 48 hours. If you do not, follow up to confirm receipt.
- Type of vulnerability (e.g., information disclosure, path traversal)
- Full paths of affected source files
- Location of the affected code (tag, branch, commit, or URL)
- Configuration required to reproduce
- Step-by-step reproduction instructions
- Proof-of-concept code (if possible)
- Impact and potential exploitation vectors
| Version | Supported |
|---|---|
| 2.1.x | Yes |
| 2.0.x | Yes |
| 1.9.x | Yes |
| 1.8.x | Yes |
| < 1.8 | No |
Security patches are applied to the current major version and the previous two minor versions.
FinalCode is a skill definition for the Skills ecosystem. It instructs AI assistants how to audit repositories. As such:
- No code execution. FinalCode does not execute code itself.
- No network access. FinalCode does not make network requests.
- No data collection. FinalCode does not collect or transmit user data.
- AI-dependent. Actual behavior depends on the AI model processing the skill.
- Vulnerabilities in the skill definition itself
- Path traversal or file inclusion issues in the install scripts
- Injection vectors through configuration files
- Incorrect access control in generated artifacts
- Vulnerabilities in OpenCode itself
- Vulnerabilities in the AI model processing the skill
- Issues that require modifying the AI model to exploit
- Social engineering attacks
- Issues requiring physical access to the target system
| Severity | Response Time | Action |
|---|---|---|
| Critical | 24 hours | Patch and release immediately |
| High | 72 hours | Patch in next minor release |
| Medium | 1 week | Patch in next scheduled release |
| Low | 2 weeks | Patch when convenient |
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 72 hours
- Work with reporter to validate the vulnerability
- Develop and test a fix
- Release the fix with a security advisory
- Credit the reporter (unless anonymity is requested)
- Review the certification report before acting on findings
- Verify critical security findings independently
- Use Inspect Mode before Repair Mode
- Back up your repository before running Repair Mode
- Review AI-generated fixes before merging
This security policy follows GitHub Security Advisory guidelines.