If you discover a security vulnerability in CodeLedger, please report it responsibly.
Do NOT open a public issue. Use one of these methods:
- GitHub private vulnerability reporting — Report a vulnerability
- Email — bhvbhushan@gmail.com with subject "CodeLedger Security"
- Acknowledgment within 48 hours
- Assessment within 7 days
- Fix target within 14 days for critical issues
- Credit in release notes (unless you prefer anonymity)
| Version | Supported |
|---|---|
| Latest (0.x) | Yes |
This policy covers:
- The
codeledgernpm package - The CodeLedger GitHub repository
- JSONL parsing logic (path traversal, arbitrary file read)
- SQLite query construction (injection)
- Dashboard HTML rendering (XSS)
- Hook handler input processing
- Bugs in Claude Code itself (report to Anthropic)
- Bugs in dependencies (report upstream)
- Feature requests (use Issues)
- Cosmetic issues
CodeLedger is a local-only tool:
- All data stays in
~/.codeledger/— zero network calls (free tier) - SQLite database created with
0600permissions (owner read/write only) - Database directory created with
0700permissions - No authentication required — same trust model as Claude Code itself
- MCP server uses stdio transport (no network listener)
- Dashboard serves on localhost only