| Version | Support |
|---|---|
| 5.x | Active support |
| 4.x | Security fixes only |
| < 4.0 | End of life |
Do not open a public GitHub issue for security vulnerabilities.
- Go to: https://github.com/javierdejesusda/checkllm/security/advisories/new
- Fill in the vulnerability details (description, reproduction steps, impact).
- Submit — this creates a private draft visible only to maintainers.
Send details to javier.dejesusj9@gmail.com with the subject line
[SECURITY] checkllm vulnerability report.
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Potential impact assessment
- Suggested fix (optional)
| Stage | Target |
|---|---|
| Acknowledgement | 48 hours |
| Initial assessment | 5 business days |
| Fix timeline communicated | 10 business days |
| Patch released | 90 days or less |
https://github.com/javierdejesusda/checkllm/security/advisories
- Social engineering attacks
- Security issues in third-party judge backends (OpenAI, Anthropic, Gemini, etc.)
- API key exposure caused by end-user misconfiguration
- Vulnerabilities in Python itself or its standard library
- Issues requiring physical access to the user's machine