| Version | Supported |
|---|---|
Latest on main |
Yes |
| Previous releases | Best effort |
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please use GitHub's private vulnerability reporting to report security issues.
Alternatively, contact the maintainer directly via GitHub: @danfking
- Description of the vulnerability
- Steps to reproduce
- Affected component(s) and version(s)
- Potential impact
- Acknowledgment: Within 48 hours
- Assessment: Within 1 week
- Fix: Depends on severity, but we aim for critical fixes within 2 weeks
This security policy covers:
@burnishdev/components— web component library@burnishdev/renderer— streaming HTML parser and sanitizer@burnishdev/server— MCP hub and LLM orchestrator@burnishdev/app— headless SDKburnishCLI
Out of scope: Third-party MCP servers connected via Burnish. Security issues with MCP servers should be reported to their respective maintainers.
- All user-provided HTML is sanitized via DOMPurify before rendering
- Component attributes are validated and constrained
- The pre-commit hook scans for accidentally committed secrets
- Dependencies are monitored via Dependabot alerts