The following versions of devbase currently receive security updates:

If you discover a security vulnerability in devbase, please report it responsibly.

Preferred method: Use GitHub Private Vulnerability Reporting if enabled. This allows you to disclose the issue privately and collaborate on a fix before public disclosure.

Alternative method: Open a GitHub Issue with the title prefix [SECURITY] and mark it with the security label. Please do not include exploit details in the initial public report — we will reach out to you for technical details.

• We aim to acknowledge receipt of a security report within 72 hours.
• We will work to validate the vulnerability and provide a timeline for a fix within 7 days.
• Once a fix is released, we will publish a security advisory and credit the reporter (with their permission).

This security policy covers the devbase CLI, MCP server, TUI, and all first-party skills shipped in this repository. Third-party dependencies should be reported to their respective maintainers.