codesight is a local, offline application: it reads .git directories on your machine and makes no network calls. This makes its attack surface small, but we still take security seriously — especially because the app parses untrusted repository data.

The project is pre-1.0. Only the latest released version receives security fixes.

Please do not report security vulnerabilities through public GitHub issues.

Instead, report privately via one of:

• GitHub's private vulnerability reporting (preferred), or
• Email: yusuf@ozdemir.be

Please include:

• A description of the vulnerability and its impact.
• Steps to reproduce (a sample repository or input is very helpful).
• The version / commit you tested against.

• We aim to acknowledge reports within 5 business days.
• We will keep you informed about progress toward a fix.
• Once a fix is released, we are happy to credit you (unless you prefer to remain anonymous).

Thank you for helping keep codesight and its users safe.