| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
We take security seriously. If you discover a security vulnerability, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via GitHub Security Advisories (recommended) or by contacting the maintainers privately.
Please include the following information:
- Type of vulnerability (e.g., XSS, SQL injection, etc.)
- Step-by-step instructions to reproduce the issue
- Affected versions
- Any potential impact
- Suggested fix (if you have one)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Updates: We will keep you informed of our progress
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
This security policy applies to:
@yourgpt/copilot-sdk@yourgpt/llm-sdk- Official example applications
When using the Copilot SDK:
- Keep dependencies updated - Regularly update to the latest version
- Validate inputs - Always validate user inputs before passing to the SDK
- Secure API keys - Never expose API keys in client-side code
- Use environment variables - Store sensitive configuration in environment variables
- Review tool implementations - Carefully review any custom tools for security implications
The SDK includes several security considerations:
- Server-side tool execution (sensitive operations stay on your server)
- No client-side API key exposure required
- Sandboxed tool execution environment
Thank you for helping keep Copilot SDK and its users safe!