| Version | Supported |
|---|---|
| 1.6.x | Yes — current release |
| 1.5.x | Yes — active support |
| 1.4.x and earlier | No — please upgrade |
Do not open a public GitHub issue for security vulnerabilities.
Report security issues privately by emailing security@duckcode.ai. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce (minimal example preferred)
- Your contact information for follow-up
We will acknowledge receipt within 2 business days and aim to issue a fix or mitigation within 14 days for confirmed vulnerabilities.
This security policy applies to the open-source DQL repository:
@duckcodeailabs/dql-cliand all CLI commands@duckcodeailabs/dql-core,dql-compiler,dql-connectors,dql-governance,dql-notebook,dql-runtime,dql-lsp,dql-project- The
DQL Language SupportVS Code extension
Issues in third-party dependencies should be reported upstream to those projects.
DQL runs a local HTTP server when you run dql notebook. By default:
- The server binds to
127.0.0.1(localhost only) - No authentication is applied to the API endpoints
- SQL queries entered in the notebook are executed directly against your configured database connection
Do not expose the DQL notebook server to untrusted networks. The server is designed for local development use only.
DQL reads database credentials from dql.config.json. Best practices:
- Do not commit
dql.config.jsonif it contains passwords or access tokens - Use environment variable references where supported:
"password": "${DB_PASSWORD}" - Add
dql.config.jsonto your.gitignoreif it contains secrets