| Version | Supported |
|---|---|
| 2.x | Yes |
| < 2.0 | No |
If you discover a security vulnerability in Backend Max, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email rishi@backendmax.dev with:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Resolution target: Within 30 days for critical issues
Backend Max is a read-only diagnostic tool by design. It analyzes source code via static analysis and does not:
- Execute user code
- Make network requests to external services (except
live_testwhich is opt-in and localhost-only) - Modify source files (except
fix_issuewhich generates patches for review) - Send telemetry or analytics
The built-in Path Guardian prevents scanning of:
- System directories (
/etc,/usr,~/.ssh,~/.aws, etc.) - Credential files (
.pem,.key,.envvalues) - Node modules and build outputs
All diagnostic output is sanitized to strip:
- Environment variable values
- API keys and tokens
- Credit card numbers
- Bearer tokens