Report a vulnerability → open a private report on the affected repository via GitHub Private Vulnerability Reporting. This keeps the details confidential between you and the maintainer until a fix ships.
How to report
Cendor uses GitHub's private vulnerability reporting for coordinated disclosure, so there is no public issue and no email needed. Open a report on the repository the issue affects:
- Libraries (Python): cendor-libs
- SDK (Python): cendor-sdk
- Libraries (TypeScript): cendor-libs-js
- SDK (TypeScript): cendor-sdk-js
If you are unsure which repository is affected, report against cendor-libs and we will route it. A machine-readable pointer to this page lives at /.well-known/security.txt (RFC 9116).
What to include
- The affected package and version (and language — Python or TypeScript).
- A clear description of the issue and its impact.
- Steps to reproduce, or a minimal proof-of-concept, if you have one.
Scope
In scope: the Cendor libraries and SDK (Python and TypeScript), and the cendor.ai website including the in-browser Try playground.
Out of scope / worth knowing:
- The Try playground runs entirely in your browser and calls AI providers directly with your key — issues in a third-party provider's API belong to that provider, not to us. How keys are handled is described in the Privacy Policy.
- The site is a static site behind Cloudflare with an enforced Content-Security-Policy and standard security headers; infrastructure-level issues in Cloudflare itself should go to Cloudflare.
- Please avoid denial-of-service testing, automated scanning that degrades the service, or accessing data that is not yours.
What to expect
This is a small, independent open-source project maintained by one person, so please allow reasonable time for a response and fix. We aim to acknowledge a valid report promptly, keep you updated, and credit you in the advisory once a fix is released, if you would like. We ask that you give us a reasonable window to remediate before any public disclosure.
Good-faith research
We will not pursue or support legal action against anyone who reports a vulnerability in good faith, follows this policy, avoids privacy violations and service disruption, and does not access or retain more data than necessary to demonstrate the issue. Thank you for helping keep Cendor's users safe.
Related: Privacy Policy · Terms of Use · Contact.