We take the security of VT Code seriously. If you discover a security vulnerability, we appreciate your responsible disclosure and will work to address it promptly.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities via one of the following channels:

• Email: security@vtcode.org (replace with actual email if available)
• GitHub Private Vulnerability Reporting - This is the preferred method for reporting vulnerabilities, as it allows for secure, private communication.

When reporting a security vulnerability, please provide us with the following information:

• A brief description of the vulnerability and its potential impact
• Steps to reproduce the issue (POC code is appreciated)
• Affected versions (if known)
• Any possible mitigations you've identified

• Acknowledgment: We will acknowledge your report within 48 hours
• Updates: We will provide regular updates on the status of the vulnerability and fix progress
• Resolution: We will work to fix the vulnerability as quickly as possible and coordinate the release of the fix with you
• Credit: We will publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)

• Never commit API keys, tokens, or other sensitive credentials to version control
• Use environment variables for storing API keys instead of hardcoding them
• Consider using .env files with proper gitignore configuration
• Rotate your API keys regularly

• Keep your vtcode.toml configuration file secure and avoid sharing sensitive values
• Regularly review your tool policies to ensure only necessary operations are allowed
• Use secure connections when integrating with external services

• Only run VT Code in trusted environments
• Be cautious when executing code or commands suggested by the AI agent
• Regularly update VT Code to the latest version to ensure you have the latest security patches

VT Code includes several built-in security features:

• Path Validation: Prevents file system access outside the designated workspace
• Tool Policies: Configurable allow/deny/prompt policies for different operations
• PII Protection: Automatic tokenization of sensitive data in code execution
• Token Management: Secure handling of API keys and authentication tokens

For information about VT Code's security architecture, please see our documentation on:

• Security Posture
• Tool Permission Policies

• Rust Security Advisories
• OWASP Top 10
• Secure Coding Guidelines

We regularly update dependencies and monitor for security vulnerabilities in our dependencies. To check for known vulnerabilities in Rust dependencies, you can run:

# Install cargo-audit if you haven't already
cargo install cargo-audit

# Audit dependencies for known vulnerabilities
cargo audit

For general security questions or concerns, please contact us via the channels mentioned above.

Thank you for helping keep VT Code and its users safe!