This project is in early development. Please report vulnerabilities against the latest release and/or main.
If you discover a security vulnerability in cq, please report it responsibly by emailing security@mozilla.ai. Do not open a public GitHub issue for security vulnerabilities.
Please include the following in your report:
- Project name and version (or commit SHA)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Proof of concept (optional but helpful)
- We will acknowledge receipt of your report within 2 business days.
- We will provide an initial assessment within 5 business days.
- We will keep you informed of our progress as we work toward a fix.
- With your permission, we will credit you in the release notes.
We follow a coordinated disclosure approach. We ask that you do not disclose the vulnerability publicly until a fix has been confirmed and a disclosure timeline has been agreed upon. For critical issues, we aim to resolve and disclose within 30 days.
This policy applies to all cq components:
- MCP server plugin
- server
Thank you for helping us keep cq secure.