Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them privately via email:

📧 security@labs.ai

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any suggested fix (optional but appreciated)

We follow coordinated disclosure:

1. You report the vulnerability privately
2. We acknowledge and begin working on a fix
3. We release the fix and publish a security advisory
4. You may publish your findings after the fix is released

We will credit you in the security advisory unless you prefer to remain anonymous.

• EDDI Manager frontend application
• Authentication flows (Keycloak integration)
• API communication layer (ApiClient)
• Any XSS, CSRF, or injection vectors in the UI

• EDDI backend vulnerabilities (report to EDDI SECURITY.md)
• Third-party LLM API vulnerabilities (OpenAI, Anthropic, etc.)
• User configuration errors
• Vulnerabilities in dependencies (report upstream; we monitor via Dependabot)

• Never commit API keys, tokens, or passwords
• All user-generated content rendered via react-markdown is sanitized with DOMPurify
• Never use dangerouslySetInnerHTML without sanitization
• All API calls go through ApiClient which handles auth token injection