Use GitHub Security Advisories / private reporting. Do not open a public issue for security bugs.
Include:
cape --versionoutput.- The upstream the vulnerability was observed against (do not include credentials).
- A minimal reproduction — ideally with
mockevilor any local stub provider that returns the malicious chunk you used. - The alert line from
carapace.logifcapecaught it, or the exact response that bypassed detection.
carapace runs as a local process with read access to your upstream API key.
It:
- forwards requests verbatim;
- never writes the upstream key anywhere (memory is
zeroized on drop); - never writes request/response bodies to disk (only alert metadata + a 512-byte snippet of the suspicious buffer);
- runs as a single static binary with no network egress except to the
--upstreamyou configured.
If any of these properties break under audit, treat it as a critical vulnerability.