Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you believe you’ve discovered a security vulnerability in Mage, please report it:

Email: security@mage.ai
Include:
- Description of the issue
- Steps to reproduce (if applicable)
- Any relevant logs, screenshots, or proof-of-concept

We typically acknowledge reports within 3 business days.

Responsible Disclosure

We ask that you:

Do not publicly disclose the issue until it has been investigated and resolved
Avoid accessing, modifying, or deleting data that does not belong to you
Act in good faith to avoid privacy violations or disruption

What to Expect

After receiving your report, we will:

Triage and validate the issue
Determine affected systems and scope
Work on a fix and coordinate release

We may reach out for additional details during this process.

Scope

This policy applies to:

mage.ai (including hosted environments)
Official Mage repositories and services

Out of scope:

Issues requiring unrealistic user interaction
Reports without a clear security impact
Vulnerabilities in third-party services not controlled by Mage

If you’re unsure whether something is in scope, feel free to reach out.

User authentication not working properly for the Mage terminal
GHSA-c6mm-2g84-v4m7 published May 5, 2023 by dy46

Moderate

Learn more about advisories related to mage-ai/mage-ai in the GitHub Advisory Database