We take security seriously. If you discover a security vulnerability in rememb, please report it responsibly.
-
Email your report to: luizedupp@gmail.com
- Do NOT open a public GitHub issue for security vulnerabilities
- Include "SECURITY:" in the subject line
-
What to include:
- Vulnerability description (what is broken?)
- Steps to reproduce (how to trigger it?)
- Affected versions (which rememb versions are vulnerable?)
- Suggested fix (if you have one)
- Your contact info (for follow-up and credit)
-
What we commit to:
- Acknowledge receipt within 24 hours
- Provide a fix timeline within 48 hours
- Keep you updated on progress
- Credit you in the security advisory (unless you prefer anonymity)
- Release a patched version within 7 days for critical issues
| Level | Description | Example |
|---|---|---|
| Critical | Remote code execution, data breach, auth bypass | Memory injection, arbitrary file write |
| High | Privilege escalation, DoS, authentication flaw | Bypass semantic_scope checks |
| Medium | Information leak, input validation bypass | Exposed paths in error messages |
| Low | Hardening improvements, minor config issues | Weak default settings |
-
File Permissions
- rememb stores sensitive memories in
~/.rememb/ - Ensure your home directory has restrictive permissions:
chmod 700 ~/.rememb
- rememb stores sensitive memories in
-
Semantic Security Guard
- The 88% similarity threshold prevents most duplicates
- Review entries before storing highly sensitive information
- rememb does NOT encrypt data at rest (local file system only)
-
Updates
- Keep rememb updated:
pip install --upgrade rememb - Subscribe to releases for security patches
- Keep rememb updated:
-
Dependency Audit
- rememb depends on
sentence-transformers,textual,typer,mcp - These are vetted production libraries
- We monitor for vulnerability alerts via GitHub Dependabot
- rememb depends on
Once a vulnerability is reported:
| Timeline | Action |
|---|---|
| Day 0 | Acknowledge receipt, assign severity |
| Day 1-2 | Develop and test fix |
| Day 3-7 | Release patched version (critical issues: Day 1-2) |
| Day 7+ | Publish security advisory with credit |
- v0.4.x (current) — Active (security patches + features)
- v0.3.x — Limited Support (security patches only)
- v0.2.x and older — Unsupported (end-of-life)
rememb is a local-first tool with no network dependencies. There are no:
- ❌ Remote APIs to attack
- ❌ Cloud storage to compromise
- ❌ Authentication servers to bypass
- ✅ Only local JSON-backed storage with file system permissions
Last Updated: April 28, 2026 Contact: luizedupp@gmail.com