The AG-UI-4J project takes security seriously. We appreciate the security research community's efforts in helping us maintain the security of our project and protecting our users.

We provide security updates for the following versions of AG-UI-4J:

Note: As this project is currently in development (pre-1.0), security updates will be applied to the main branch. Once we reach stable releases, this table will be updated with our long-term support policy.

Please DO NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, please report security vulnerabilities responsibly through one of these methods:

1. Navigate to the Security Advisories page
2. Click "Report a vulnerability"
3. Fill out the vulnerability report form
4. Submit the report

If you cannot use GitHub Security Advisories, email us directly:

• Email: [email protected]
• Subject: [SECURITY] AG-UI-4J Vulnerability Report

To help us understand and resolve the issue quickly, please include as much of the following information as possible:

• Description of the vulnerability
• Steps to reproduce the issue
• Affected versions of AG-UI-4J
• Impact assessment (what an attacker could achieve)

• Proof of concept code or screenshots
• Suggested fix if you have one
• CVSS score if you've calculated one
• Related CVE numbers if applicable
• Your preferred contact method for follow-up

**Vulnerability Type:** [e.g., SQL Injection, XSS, Authentication Bypass]
**Affected Component:** [e.g., packages/http, packages/client]
**Affected Versions:** [e.g., All versions, 1.0.0-1.0.5]
**Severity:** [e.g., Critical, High, Medium, Low]

**Description:**
[Detailed description of the vulnerability]

**Steps to Reproduce:**
1. [Step 1]
2. [Step 2]
3. [Step 3]

**Impact:**
[What an attacker could achieve]

**Proof of Concept:**
[Code snippet, screenshots, or detailed explanation]

**Suggested Fix:**
[If you have suggestions for fixing the issue]

We are committed to responding to security reports promptly:

1. Validation - We verify and reproduce the reported vulnerability
2. Assessment - We assess the impact and assign a severity level
3. Development - We develop and test a fix
4. Review - Internal security review of the fix
5. Release - We release the security update
6. Disclosure - We publish details after users have had time to update

We use the following severity classification:

• Critical - Immediate threat to data integrity or system security
• High - Significant security risk that should be addressed quickly
• Medium - Moderate security risk with limited impact
• Low - Minor security improvement or hardening opportunity

Security updates and announcements will be published through:

• GitHub Security Advisories - Primary announcement method
• GitHub Releases - Security releases will be clearly marked
• CHANGELOG.md - Security fixes will be documented
• Repository README - Critical security notices when applicable

1. Keep Dependencies Updated

   mvn dependency:display-plugin-updates
   mvn versions:display-dependency-updates

2. Use Dependency Scanning

   mvn org.owasp:dependency-check-maven:check

3. Follow Secure Coding Practices

   • Validate all inputs
   • Use parameterized queries
   • Implement proper authentication and authorization
   • Handle errors securely (don't expose sensitive information)

4. Regular Security Audits

   • Review your application's security posture regularly
   • Keep AG-UI-4J updated to the latest version
   • Monitor security advisories

1. Code Review Requirements

   • All code changes require review by at least one maintainer
   • Security-sensitive changes require additional security review

2. Dependency Management

   • New dependencies must be justified and reviewed
   • Dependencies should be kept to minimum necessary versions
   • Regular dependency updates via Dependabot

3. Testing Requirements

   • Security-related changes require comprehensive tests
   • Include negative test cases (invalid inputs, edge cases)

• Input Validation - [Describe current validation mechanisms]
• Authentication - [Describe authentication methods if applicable]
• Authorization - [Describe authorization controls if applicable]
• Data Protection - [Describe data protection measures]

As the project evolves, we plan to implement:

• Comprehensive input validation framework
• Security testing automation
• Regular security audits
• Penetration testing for major releases

We recognize and thank security researchers who have responsibly disclosed vulnerabilities:

No security reports have been received yet. Be the first to help us improve our security!

• OWASP Top 10
• OWASP Java Security Cheat Sheet
• CWE (Common Weakness Enumeration)
• CVSS Calculator

• Contributing Guidelines
• Code of Conduct
• Project Documentation

• Primary Contact: Pascal Wilbrink ([email protected])
• GitHub: @pascalwilbrink

For general security questions (not vulnerability reports):

• GitHub Discussions: AG-UI-4J Discussions
• GitHub Issues: Create a question issue

Thank you for helping keep AG-UI-4J and our community safe! 🙏

Last updated: August 9 2025