Promptfoo Responsible Vulnerability Disclosure Policy​

Promptfoo values the security and privacy of our users, customers, and the broader community. We welcome responsible disclosure of vulnerabilities to help us ensure the ongoing security of our open source projects, cloud services, and on-premises deployments.

Scope​

This policy covers vulnerabilities discovered in:

• Promptfoo Open Source Software
• Promptfoo Cloud Services
• Promptfoo On-premises Software Components

Reporting Vulnerabilities​

If you discover a potential vulnerability, please responsibly disclose it to us by emailing [email protected]. Include the following details:

• Description and detailed steps to reproduce the vulnerability.
• Software version and/or cloud environment where the issue was discovered.
• Potential security impact.
• Your contact information, if comfortable sharing, for follow-up.

Responsible Disclosure Guidelines​

When researching or disclosing vulnerabilities:

• Do not exploit the vulnerability beyond the minimal testing needed to demonstrate the issue.
• Do not disclose the vulnerability publicly or to third parties before it is resolved.
• Allow Promptfoo reasonable time to investigate and remediate the issue before public disclosure.

Our Commitment​

Upon receiving your disclosure, Promptfoo commits to:

• Acknowledge your report promptly and keep you informed throughout the remediation process.
• Work diligently to resolve vulnerabilities in a timely manner.
• Provide recognition (with your consent) for your responsible disclosure in our security acknowledgments, changelogs, or other public communications.

Out-of-Scope​

The following items are out-of-scope for our vulnerability disclosure program:

• Issues related to social engineering or phishing attacks.
• Vulnerabilities affecting outdated versions of Promptfoo software (not actively supported).
• Non-security-related bugs or functionality requests.

Thank you for helping us protect Promptfoo users and improve our software's security.