Thank you for taking the time to investigate Kozou's security. We appreciate responsible disclosure and aim to work with reporters to resolve issues quickly.
If you discover a security vulnerability in Kozou, please do not open a public GitHub issue. Instead, report it through one of the private channels below:
- Preferred — GitHub Security Advisories: https://github.com/kozou-dev/kozou/security/advisories/new
- Alternative — email: hello@kozou.org
We aim to acknowledge reports within 3 business days.
When reporting, please include as much of the following as you can:
- A description of the vulnerability and its potential impact
- Steps to reproduce, including a minimal proof-of-concept if possible
- The affected version (
kozou,@kozou/core,@kozou/introspect,@kozou/mcp,@kozou/svelte-ui, or theghcr.io/kozou-dev/kozouimage tag) - Any suggested mitigation or fix
Only the latest 1.x release line receives security fixes. The 0.x
releases predate the v1.0 stable contract and are no longer supported.
| Version | Supported |
|---|---|
1.x |
✅ |
< 1.0 |
❌ |
In scope:
- The published npm packages (
kozou— including itscreate-kozoubin —@kozou/core,@kozou/introspect,@kozou/mcp,@kozou/svelte-ui) - The published container image (
ghcr.io/kozou-dev/kozou) - The source code in this repository
Out of scope:
- Issues that require the attacker to already control the PostgreSQL
schema (DDL or
COMMENTtext). Schema authors are inside Kozou's trust boundary by design — see docs/security.md for the threat model and the mitigations under consideration forv0.1.1+. - Issues in third-party dependencies (PostgreSQL itself, PostgREST, Docker, Node.js). Please report those upstream.
- We aim to confirm receipt of your report within 3 business days.
- We will keep you informed as we investigate and develop a fix.
- We will coordinate the public disclosure timeline with you so that users have a patched version available before details are made public.
- We will credit reporters in the security advisory unless you ask to remain anonymous.