Skip to content

Security: exmergo/dex

Security

SECURITY.md

Security Policy

dex connects to data warehouses, discovers credentials, and writes to your repository, so security is a first-class concern and several guarantees are enforced in the engine itself: read-only against your data, writes confined to reviewable diffs, dev-target-only builds, cost surfaced before any spend, and credentials and raw rows kept out of agent context. If you find a way to violate any of these, we want to hear about it.

Reporting a vulnerability

Please report security issues privately. Do not open a public GitHub issue for a vulnerability.

Include the affected version, a description of the issue, and the steps to reproduce it. Please do not include real credentials or raw warehouse data in your report; a sanitized reproduction is enough.

What to expect

  • We aim to acknowledge your report within 3 business days.
  • We will confirm the issue, share our assessment and a remediation timeline, and keep you updated as we work on a fix.
  • We will credit you in the release notes when the fix ships, unless you prefer to remain anonymous.

Supported versions

dex is in early, pre-release development. Security fixes are applied to the latest published version only. Pin to a released version and upgrade promptly when a security release is announced.

There aren't any published security advisories