Forge is a security product. We take vulnerabilities in our SDKs seriously.
Email security@veritera.ai with the subject line: [SECURITY] crewai-forge — <brief description>
Include:
- Package name and version
- Description of the vulnerability
- Steps to reproduce
- Impact assessment (what an attacker could do)
- Authentication or authorization bypass
- Data exposure through the SDK
- Injection vectors in SDK inputs
- Receipt signature forgery or verification bypass
- Cryptographic implementation flaws (Ed25519, HMAC-SHA256)
- Dependency vulnerabilities with an exploitable path
- Bugs on the marketing website (veritera.ai)
- Social engineering
- Denial of service against the hosted API (report via support@veritera.ai)
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Patch for critical issues | Within 14 days |
| Patch for non-critical issues | Next scheduled release |
We follow coordinated disclosure with a 90-day window. After 90 days, or after a fix is released (whichever comes first), the reporter may publish details.
We publicly acknowledge responsible disclosures in our CHANGELOG (opt-in). If you'd like credit, include your preferred name and link in your report.
This policy covers the crewai-forge Python package and its published dependencies. For the Forge API service, contact support@veritera.ai.