If you discover a security vulnerability in bd, please report it responsibly:

Email: security@steveyegge.com (or open a private security advisory on GitHub)

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will respond within 48 hours and work with you to address the issue.

bd stores issue data locally in:

• SQLite databases (.beads/*.db) - local only, gitignored
• JSONL files (.beads/issues.jsonl) - committed to git

Important:

• Do not store sensitive information (passwords, API keys, secrets) in issue descriptions or metadata
• Issue data is committed to git and will be visible to anyone with repository access
• bd does not encrypt data at rest (it's a local development tool)

• bd uses standard git operations (no custom protocols)
• Export/import operations read and write local files only
• No network communication except through git itself
• Git hooks (if used) run with your local user permissions

bd uses parameterized SQL queries to prevent SQL injection. However:

• Do not pass untrusted input directly to bd commands
• Issue IDs are validated against the pattern ^[a-z0-9-]+$
• File paths are validated before reading/writing

bd has minimal dependencies:

• Go standard library
• SQLite (via modernc.org/sqlite - pure Go implementation)
• Cobra CLI framework

All dependencies are regularly updated. Run go mod verify to check integrity.

We provide security updates for:

Once version 1.0 is released, we will support the latest major version and one previous major version.

1. Don't commit secrets - Never put API keys, passwords, or credentials in issue descriptions
2. Review before export - Check .beads/issues.jsonl before committing sensitive project details
3. Use private repos - If your issues contain proprietary information, use private git repositories
4. Validate git hooks - If using automated export/import hooks, review them for safety
5. Regular updates - Keep bd updated to the latest version: go install github.com/steveyegge/beads/cmd/bd@latest

• bd is designed for development/internal use, not production secret management
• Issue data is stored in plain text (both SQLite and JSONL)
• No built-in encryption or access control (relies on filesystem permissions)
• No audit logging beyond git history

For sensitive workflows, consider using bd only for non-sensitive task tracking.

Security updates will be announced via:

• GitHub Security Advisories
• Release notes on GitHub
• Git commit messages (tagged with [security])

Subscribe to the repository for notifications.