Security Policy

Security

Last updated: May 2025

Reporting a vulnerability

If you discover a security vulnerability in Quell — the CLI tool, the web dashboard, or the backend API — please report it privately. Do not open a public GitHub issue for security vulnerabilities.

Contact
bindalshashank.89@gmail.com

Use the subject line: [SECURITY] brief description

We will acknowledge your report within 48 hours and provide a timeline for resolution. We aim to patch critical vulnerabilities within 7 days and moderate ones within 30 days.

Scope

The following are in scope:

  • Authentication bypass or privilege escalation in the web dashboard
  • API key leakage or unauthorised access to API keys
  • SQL injection, XSS, or CSRF in the web application
  • Arbitrary code execution in the CLI tool triggered by malicious input
  • Unsafe deserialization in any component

The following are out of scope:

  • Denial-of-service attacks
  • Social engineering attacks targeting Quell staff
  • Vulnerabilities in third-party services (GitHub, Vercel, Render)
  • Issues requiring physical access to a user's machine

Data handling

Quell CLI runs locally. By default, no source code leaves your machine.

  • The rule engine (~75% of cases) is fully offline — no network call.
  • The LLM fallback sends only the relevant docstring/signature fragment, never the full file.
  • LLM fallback is opt-in — you configure the provider and key explicitly via quell auth.
  • API keys are stored in your OS keyring (not in plaintext config files).

Responsible disclosure

We follow a coordinated disclosure model. Once a fix is ready and deployed, we will publicly credit the reporter in the changelog (with their permission) and disclose the vulnerability details. We ask that reporters refrain from public disclosure for at least 90 days after initial contact, or until the fix is shipped — whichever comes first.

Bug bounty

Quell does not currently offer a paid bug bounty program. We sincerely appreciate responsible disclosure and will give credit in release notes and, where appropriate, recognise researchers publicly.

Contact

For non-security questions about Quell, reach us at bindalshashank.89@gmail.com.