| Tool | Version | Supported |
|---|---|---|
| Warren | 0.3.x | Yes |
| Burrow | 0.3.x | Yes |
| Plot | 0.3.x | Yes |
| Mulch | 0.10.x | Yes |
| Seeds | 0.4.x | Yes |
| Canopy | 0.2.x | Yes |
| Sapling | 0.3.x | Yes |
| Trellis | 0.0.x (pre-release) | Yes |
| Overstory | — | No (archived 2026-05) |
Older versions receive no security patches. Please upgrade to the latest release.
Do not open a public issue. Instead, use GitHub Security Advisories to report vulnerabilities privately.
For tool-specific vulnerabilities, report to the relevant sub-repo:
- Warren security advisories
- Burrow security advisories
- Plot security advisories
- Mulch security advisories
- Seeds security advisories
- Canopy security advisories
- Sapling security advisories
- Trellis security advisories
| Step | Target |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 7 days |
| Fix or mitigation | 30 days |
Vulnerabilities we care about across the ecosystem:
- Command injection via CLI arguments
- Path traversal or arbitrary file access
- Symlink attacks on storage directories
- Temp file race conditions
- Sandbox escape or privilege escalation (Burrow, Warren)
- Prompt injection via stored templates (Canopy)
- Prompt injection via audited repo contents during the LLM investigation pass (Trellis)
- Denial of service via extremely large files
- Issues requiring existing shell access to the machine
- Social engineering
- Costs from spawning many agents (Warren)
The tools share these design principles:
- Atomic writes with advisory file locking for multi-agent safety
- Input validation on all CLI arguments
- Local-first, git-native storage; network access only where the tool's job requires it (warren's GitHub polling, trellis's bounded LLM investigation pass)
- No eval or dynamic code execution on user input