If you find a security issue, do not open a public issue. Email the maintainer directly or open a private security advisory on GitHub.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
You should receive a response within 48 hours.
- Hardcoded credentials, API keys, or tokens
- JWT signing key exposure
- OAuth2 flow bypasses
- SQL / prompt injection vectors
- Insecure default configurations that could lead to data exposure in production deployments
EKA stores and indexes potentially sensitive internal documentation and code. Vulnerabilities in authentication, authorization, data isolation, and credential management are the highest priority.
- Infrastructure services started by
docker compose(PostgreSQL, Redis, Kafka, Neo4j) running with dev defaults — these are documented as dev-only. - Rate-limit exhaustion on unauthenticated endpoints (tracked as regular issues).