We actively support the following versions of Weavegraph with security updates:
| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| 0.1.x | ❌ |
| < 0.1.0 | ❌ |
We take security vulnerabilities seriously and appreciate your efforts to responsibly disclose your findings.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them by:
- Opening a security advisory on our GitHub Security Advisories page
- Or emailing the maintainers directly (contact information available in project metadata)
Please include the following information in your report:
- Description of the vulnerability: A clear description of the issue
- Steps to reproduce: Detailed steps to reproduce the vulnerability
- Potential impact: Your assessment of the potential impact
- Suggested fix: If you have a fix or mitigation in mind, please share it
- Affected versions: Which versions of Weavegraph are affected
- Environment details: Operating system, Rust version, and any relevant configuration
- Initial response: Within 72 hours of receiving your report
- Status updates: We will provide regular updates (at least weekly) on our progress
- Resolution timeline:
- Critical vulnerabilities: We aim to release a patch within 7 days
- High severity: Within 30 days
- Medium/Low severity: Within 90 days
- Acknowledgment: We will acknowledge receipt of your vulnerability report
- Validation: We will validate the vulnerability and determine its severity
- Fix development: We will work on a fix, potentially requesting your input
- Coordinated disclosure: We will coordinate disclosure timing with you
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
When using Weavegraph:
- SQLite: Ensure database files have appropriate file permissions (
chmod 600) - PostgreSQL: Use strong passwords, TLS connections, and principle of least privilege for database users
- Never commit connection strings or credentials to version control
- Sensitive data: Avoid logging sensitive information (credentials, PII, etc.) in node outputs
- Event sinks: Ensure event sinks (file, network) have appropriate access controls
- JSON Lines logs: Rotate and protect log files containing event streams
- API keys: Store API keys securely (environment variables, secret managers)
- Prompt injection: Sanitize user inputs before passing to LLM nodes
- Rate limiting: Implement appropriate rate limiting for LLM API calls
- Input validation: Always validate user inputs before adding to state
- State snapshots: Be cautious about serializing/deserializing state from untrusted sources
We use cargo-deny in CI to check for known vulnerabilities in dependencies. Current advisories we track:
- See deny.toml for our advisory ignore list and rationale
Weavegraph depends on Tokio for async execution. Follow Tokio security best practices.
When we receive a security vulnerability report, we will:
- Work with the reporter to validate and fix the issue
- Create a security advisory on GitHub
- Release a patched version
- Publish the advisory after the patch is available
- Credit the reporter (with their permission)
We follow a 90-day disclosure timeline: we aim to release fixes within this period, and will disclose the vulnerability 90 days after the initial report (or sooner if a patch is available).
Subscribe to security advisories via:
- GitHub Security Advisories
- Watch the repository for releases
- Follow the project for announcements
If you have questions about this security policy, please open a discussion on GitHub or contact the maintainers.
Last updated: 2026-03-06