We actively support the following versions of Convo:

If you discover a security vulnerability in Convo, please report it responsibly:

1. Do NOT create a public issue
2. Email the maintainer directly (create a private vulnerability report on GitHub)
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Create an issue using the [security template]
• Mark it with the security label
• Provide as much detail as possible

• Convo programs run with the same permissions as the Python interpreter
• Be cautious when running untrusted Convo code
• Consider sandboxing when executing user-provided programs

When using Convo for Discord bots:

• Never commit bot tokens to version control
• Use environment variables or .env files for sensitive data
• Follow Discord's security best practices
• Validate all user inputs
• Implement rate limiting for bot commands

• Convo's file operations respect system permissions
• Be aware of path traversal risks with user-provided file paths
• Validate file paths and names before operations

1. Keep dependencies updated - Regularly update Python and required packages
2. Use virtual environments - Isolate Convo installations
3. Validate inputs - Always validate user-provided data
4. Principle of least privilege - Run with minimal necessary permissions
5. Review code - Carefully review Convo programs before execution

We appreciate responsible disclosure and will work with security researchers to address issues promptly.