Skip to content

Security: Cerid-AI/quenchforge

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you believe you've found a security vulnerability in Quenchforge, please do not open a public GitHub issue. Instead, use GitHub's private vulnerability reporting via the Security tab of this repository.

If GitHub's flow is unavailable, you may email security@cerid-ai.com (PGP key fingerprint published at https://cerid-ai.com/.well-known/security.txt once the project is public).

What to include

  • A clear description of the issue and its impact
  • Reproduction steps (and a minimal proof-of-concept if applicable)
  • Affected version(s) — quenchforge --version output is ideal
  • Your hardware profile (quenchforge doctor --redacted)
  • Whether you'd like credit in the eventual advisory

What we'll do

  • Acknowledge receipt within 3 business days
  • Triage the report and confirm scope within 7 business days
  • Best-effort: aim to ship a fix within 30 days for high-severity issues. Low-severity issues may be batched into the next release.
  • Coordinate a disclosure timeline with you. Default: 90 days from report or coincident with the fix release, whichever comes first.
  • Credit you in the GitHub Security Advisory unless you've asked otherwise.

Scope

In scope:

  • quenchforge daemon and CLI (cmd/, internal/)
  • HTTP API surface served on the local listener (Ollama / OpenAI routes)
  • Vendored Olla gateway code (in internal/gateway/)
  • Vendored llama.cpp / whisper.cpp only where our patch series introduces a vulnerability. Upstream-only vulnerabilities should be reported to ggml-org/llama.cpp directly.
  • The Homebrew formula in Formula/
  • The Quenchforge launchd plist generated by the Homebrew service do block
  • Update mechanism (signature verification, notarization checks)
  • Telemetry payload privacy (anything that contradicts the consent-screen copy is in scope)

Out of scope:

  • Vulnerabilities in macOS itself (report to Apple via the Apple Security Bounty)
  • Vulnerabilities in unrelated upstream projects (llama.cpp, whisper.cpp, Olla, Go stdlib) when not exposed by our integration
  • Issues caused by user-modified models or local environment compromise
  • Denial-of-service via local resource exhaustion (the supervisor is best-effort against malicious local clients)
  • Issues that require root or physical access to the machine

Hall of Fame

A list of researchers who have responsibly disclosed vulnerabilities to Quenchforge will appear here once we have any to acknowledge.

This policy is loosely modeled on the Go Vulnerability Reporting Guidelines and Sigstore's security policy.

There aren't any published security advisories