| Version | Supported |
|---|---|
| 1.0.x (latest) | ✅ Active support |
| 0.1.x | |
| < 0.1.0 | ❌ No support |
DO NOT open a public GitHub Issue for security vulnerabilities.
If you discover a security vulnerability in Basilisk (the framework itself, not in a target system you tested), please report it responsibly.
- Email: Send a detailed report to support@rothackers.com
- Subject Line:
[SECURITY] Basilisk — Brief Description - Encrypt (optional): PGP key available upon request
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if you have one)
- Your name/handle for attribution (optional)
| Timeline | Action |
|---|---|
| 24 hours | Acknowledgement of your report |
| 72 hours | Initial assessment and severity classification |
| 7 days | Detailed response with remediation plan |
| 30 days | Fix developed, tested, and released |
| After fix | Public disclosure with your attribution (if desired) |
The following are in scope for security reports:
- Vulnerabilities in the Basilisk CLI, backend, or desktop application
- Supply chain issues (dependency vulnerabilities, compromised packages)
- Authentication or authorization bypasses in the desktop app's backend bridge
- Path traversal or arbitrary file access through report generation
- Code injection through crafted configuration files or scan inputs
- Insecure handling of API keys or credentials in local storage
The following are out of scope:
- Vulnerabilities in target LLM systems (report those to the LLM provider)
- Issues in third-party dependencies that are already publicly known
- Social engineering of project maintainers
- Denial of service against github.com or pypi.org
We follow coordinated disclosure practices:
- The reporter shares the vulnerability details privately with us
- We validate and develop a fix
- We release a patched version
- We publicly disclose the vulnerability with credit to the reporter (unless they prefer anonymity)
- We request a minimum 90-day embargo before public disclosure to protect users
Security patches are released as point releases (e.g., 1.0.2, 1.0.3). We recommend always running the latest version:
pip install --upgrade basilisk-aiWe maintain a list of security researchers who have responsibly disclosed vulnerabilities in Basilisk. If you report a valid security issue, you'll be credited here (with your permission).
No reports yet — be the first!
- Email: support@rothackers.com
- GitHub: @noobforanonymous
- Website: basilisk.rothackers.com