Security Policy
May 11, 2026 ยท View on GitHub
Supported Versions
| Version | Supported |
|---|---|
| 0.3.x | :white_check_mark: (current development) |
No stable supported release exists yet. Security claims in this document reflect the target posture, not necessarily the current implementation.
Reporting a Vulnerability
Please do not open public issues for security vulnerabilities.
Instead, report security concerns via GitHub Security Advisories or email the maintainer directly.
We will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 7 days
- Issue a fix and coordinated disclosure timeline
Security Hardening
DialectOS is undergoing adversarial security auditing. The following measures are targeted; not all are fully implemented in the current release:
Input Validation
- SSRF protection: Provider endpoint validation is under remediation; do not rely on untrusted provider URLs.
- Path traversal protection: File paths are validated before any filesystem operations
- Content length limits: Maximum payload sizes enforced per provider capability
Output Safety
- HTML injection detection: Structure validator rejects disallowed HTML tags in translated output
- Auth key redaction: Common provider tokens are automatically redacted from error messages where implemented
Resilience
- Circuit breaker: Prevents cascade failures when providers are down
- Rate limiting: Per-provider request throttling with configurable windows
- Atomic writes: Checkpoint files use temp-file + rename pattern with O_EXCL
Dependencies
pnpm auditis run in CI โ currently there are pending advisories under remediation.- Dependabot alerts are monitored and resolved via
pnpm.overrides
Recent Security Work
- April 2026: Resolved 18 Critical/High/Medium findings from adversarial audit
- Added semantic drift detection to catch quality degradation attacks
- Implemented provider capability negotiation for safe request validation
- Added chaos harness for deterministic resilience testing