| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Report vulnerabilities privately via GitHub Security Advisories.
Include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You will receive a response within 48 hours and a fix timeline within 7 days for confirmed issues.
Brief is a static analysis and MCP proxy tool. Key security boundaries:
brief check— pure static analysis, reads files only, no network, no executionbrief verify— makes outbound HTTP requests to configured verifier endpoints; URLs come frombrief.tomlwhich is under user controlbrief serve— spawns MCP server subprocesses declared inbrief.toml; treat yourbrief.tomlas trusted configuration
Do not load brief.toml files from untrusted sources. The mcp_command field executes arbitrary subprocesses.