If you discover a security vulnerability in Bonsai, please report it through GitHub's private vulnerability reporting.
Do not open a public issue for security vulnerabilities.
We will acknowledge your report within 48 hours and provide an initial assessment of the issue.
The following are in scope for security reports:
- CLI binary — command injection, path traversal, unsafe file operations
- Embedded catalog — template injection, unsafe defaults in generated files
- Generated hook scripts — script injection, privilege escalation
- Template rendering — arbitrary code execution via template variables
- Configuration files — sensitive data exposure in
.bonsai.yamlor generated configs
- User-customized files — files you modify after generation are your responsibility
- Third-party dependencies — report these to the upstream maintainer directly
- Claude Code itself — report issues with Claude Code at anthropics/claude-code
Only the latest release is supported with security updates.