We release security patches for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We recommend always using the latest version of BMad Method to ensure you have the most recent security updates.
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via one of these methods:
-
GitHub Security Advisories (Preferred): Use GitHub's private vulnerability reporting to submit a confidential report.
-
Discord: Contact a maintainer directly via DM on our Discord server.
Please include as much of the following information as possible:
- Type of vulnerability (e.g., prompt injection, path traversal, etc.)
- Full paths of source file(s) related to the vulnerability
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if available)
- Impact assessment of the vulnerability
- Initial Response: Within 48 hours of receiving your report
- Status Update: Within 7 days with our assessment
- Resolution Target: Critical issues within 30 days; other issues within 90 days
- We will acknowledge receipt of your report
- We will investigate and validate the vulnerability
- We will work on a fix and coordinate disclosure timing with you
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- Vulnerabilities in BMad Method core framework code
- Security issues in agent definitions or workflows that could lead to unintended behavior
- Path traversal or file system access issues
- Prompt injection vulnerabilities that bypass intended agent behavior
- Supply chain vulnerabilities in dependencies
- Security issues in user-created custom agents or modules
- Vulnerabilities in third-party AI providers (Claude, GPT, etc.)
- Issues that require physical access to a user's machine
- Social engineering attacks
- Denial of service attacks that don't exploit a specific vulnerability
When using BMad Method:
- Review Agent Outputs: Always review AI-generated code before executing it
- Limit File Access: Configure your AI IDE to limit file system access where possible
- Keep Updated: Regularly update to the latest version
- Validate Dependencies: Review any dependencies added by generated code
- Environment Isolation: Consider running AI-assisted development in isolated environments
We appreciate the security research community's efforts in helping keep BMad Method secure. Contributors who report valid security issues will be acknowledged in our security advisories.
Thank you for helping keep BMad Method and our community safe.