If you find a security issue in authsome, please tell us privately so we can fix it before it’s public.Documentation Index
Fetch the complete documentation index at: https://authsome.agentr.dev/docs/llms.txt
Use this file to discover all available pages before exploring further.
How to report
Email security@agentr.dev with:- A clear description of the issue and its impact.
- Steps to reproduce. A minimal proof of concept is ideal.
- Affected versions if you’ve narrowed it down (
uvx authsome --version). - Your name and a way to credit you in the fix announcement, if you’d like credit.
What to expect
| Step | Timeline |
|---|---|
| Acknowledgement | Within 72 hours |
| Triage and severity assessment | Within 5 business days |
| Fix scoping and target release | Communicated after triage |
| Coordinated disclosure | After a fix is released, unless the issue is being actively exploited |
Scope
In scope:- The authsome CLI, library, and daemon.
- Bundled provider definitions under
src/authsome/auth/bundled_providers/. - The mitmproxy-based local HTTP proxy.
- The daemon dashboard UI.
- Bugs in third-party providers’ OAuth implementations. Report those to the provider.
- Bugs in the dependencies authsome ships. Report those upstream. We will track the relevant CVE and bump our pinned version.
- Issues that require local root or physical access to the machine. Authsome’s threat model assumes the local machine and user account are trusted; see Threat model.
What we won’t do
- We won’t pay bounties. Authsome is open source; we credit researchers in release notes.
- We won’t act on unverified reports. We need reproducible steps or a clear theoretical model.
- We won’t publish a fix before triage is complete.