The Bitloops team takes security issues seriously. We appreciate responsible disclosure and will make every effort to acknowledge valid reports and handle them carefully.
If you believe you found a vulnerability, please report it privately. Do not open a public issue for anything that could expose users, repositories, credentials, prompts, local metadata, or private code.
- GitHub Security Advisories for this repository (use the "Report a vulnerability" button on the Security tab)
- Email opencode@bitloops.com with
SECURITYin the subject line
Please include as much of the following as possible:
- A clear description of the issue and its impact
- The affected version, release, or commit SHA
- Your environment, including OS and install method
- The affected Bitloops surface area, such as the CLI, dashboard, git hooks, local storage, or agent integration
- Reproduction steps or a proof of concept
- Any logs, screenshots, or sample payloads with secrets redacted
We will aim to:
- Acknowledge receipt within 3 business days
- Triage the report and determine severity
- Keep you updated as the investigation progresses
- Coordinate disclosure after a fix or mitigation is available
Bitloops is evolving quickly. We prioritize security fixes for the latest release and the current main branch. Older versions may be reviewed on a case-by-case basis, but backports are not guaranteed.