| Version | Supported |
|---|---|
| 0.3.x | ✅ (current development) |
No stable supported release exists yet. Security claims in this document reflect the target posture, not necessarily the current implementation.
Please do not open public issues for security vulnerabilities.
Instead, report security concerns via GitHub Security Advisories or email the maintainer directly.
We will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 7 days
- Issue a fix and coordinated disclosure timeline
DialectOS is undergoing adversarial security auditing. The following measures are targeted; not all are fully implemented in the current release:
- SSRF protection: Provider endpoint validation is under remediation; do not rely on untrusted provider URLs.
- Path traversal protection: File paths are validated before any filesystem operations
- Content length limits: Maximum payload sizes enforced per provider capability
- HTML injection detection: Structure validator rejects disallowed HTML tags in translated output
- Auth key redaction: Common provider tokens are automatically redacted from error messages where implemented
- Circuit breaker: Prevents cascade failures when providers are down
- Rate limiting: Per-provider request throttling with configurable windows
- Atomic writes: Checkpoint files use temp-file + rename pattern with O_EXCL
pnpm auditis run in CI — currently there are pending advisories under remediation.- Dependabot alerts are monitored and resolved via
pnpm.overrides
- April 2026: Resolved 18 Critical/High/Medium findings from adversarial audit
- Added semantic drift detection to catch quality degradation attacks
- Implemented provider capability negotiation for safe request validation
- Added chaos harness for deterministic resilience testing