Skip to content

Security: duckcode-ai/DataLex

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Email security@duckcode.ai with:

  • A description of the issue and its impact.
  • Steps to reproduce (a minimal repro case is ideal).
  • The DataLex version (datalex --version if available, or the commit SHA).
  • Your name and affiliation if you would like credit in the fix's release notes.

We will acknowledge receipt within 2 business days, share our initial assessment within 7 days, and aim to ship a fix for confirmed high-severity issues within 30 days. For lower-severity issues we will coordinate a timeline with the reporter.

Supported versions

DataLex is under active development. Security fixes land on main and the latest minor release. Older minors receive critical-severity fixes only on a best-effort basis; older majors are not patched.

Version Supported
1.7.x
1.6.x ⚠️ critical-only
< 1.6

Scope

In-scope:

  • The DataLex CLI (datalex) and Python packages (datalex_core, datalex_cli).
  • The web API server (packages/api-server) and Visual Studio UI (packages/web-app).
  • CI reusable GitHub Action (.github/actions/datalex).
  • JSON Schemas bundled with the datalex_core package under datalex_core/_schemas/datalex/.

Out of scope:

  • Vulnerabilities in third-party dependencies (report upstream; we will roll forward once a fix is available).
  • Issues that require the attacker to already have filesystem write access to the DataLex project directory.

Thank you for helping keep DataLex and its users safe.

There aren't any published security advisories