| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| 0.1.x | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Please DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please email us at: security@headroom.dev
Include the following information:
- Type of vulnerability (e.g., injection, data exposure, authentication bypass)
- Full path of the affected source file(s)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability and determine its severity
- Updates: We will keep you informed of our progress
- Resolution: We aim to resolve critical issues within 7 days
- Credit: With your permission, we will credit you in the security advisory
When using Headroom:
- API Keys: Never commit API keys. Use environment variables.
- Proxy Exposure: Don't expose the proxy server to the public internet without authentication
- Log Files: Be aware that request logs may contain sensitive information
- Budget Limits: Set budget limits to prevent unexpected costs
The following are in scope for security reports:
- Headroom Python package (
pip install headroom) - Headroom proxy server
- Official integrations (LangChain, MCP)
The following are out of scope:
- Third-party integrations not maintained by us
- Issues in dependencies (report these to the upstream project)
- Social engineering attacks
Headroom includes several security features:
- No credential storage: We never store or log API keys
- Passthrough mode: Sensitive content passes through unchanged by default
- Input validation: All inputs are validated before processing
- Safe defaults: Security-conscious defaults out of the box
Thank you for helping keep Headroom and its users safe!