dex connects to data warehouses, discovers credentials, and writes to your repository, so security is a first-class concern and several guarantees are enforced in the engine itself: read-only against your data, writes confined to reviewable diffs, dev-target-only builds, cost surfaced before any spend, and credentials and raw rows kept out of agent context. If you find a way to violate any of these, we want to hear about it.
Please report security issues privately. Do not open a public GitHub issue for a vulnerability.
- Preferred: open a private report through GitHub's security advisories at https://github.com/exmergo/dex/security/advisories/new
- Or email security@exmergo.com.
Include the affected version, a description of the issue, and the steps to reproduce it. Please do not include real credentials or raw warehouse data in your report; a sanitized reproduction is enough.
- We aim to acknowledge your report within 3 business days.
- We will confirm the issue, share our assessment and a remediation timeline, and keep you updated as we work on a fix.
- We will credit you in the release notes when the fix ships, unless you prefer to remain anonymous.
dex is in early, pre-release development. Security fixes are applied to the latest published version only. Pin to a released version and upgrade promptly when a security release is announced.