praxen

Security Policy

Praxen is a security tool. We take vulnerabilities in Praxen itself seriously. This document describes how to report one privately, what is in scope, and what to expect after you report.

Security model and assumptions

Praxen runs as a skill inside your coding agent (Claude Code, OpenAI Codex, or similar) — not as a standalone, sandboxed service. Two properties are worth stating plainly before you run it:

For guidance on interpreting Praxen’s output — a model-assisted expert review rather than a deterministic gate — see Working with Praxen.

Scope

In scope — vulnerabilities in Praxen itself:

Examples of in-scope issues: an injection in a finding’s evidence.snippet that escapes the HTML escaper and executes script in the rendered report; a path-traversal in render.py that lets a crafted findings JSON write outside the output directory; a tampered release artifact.

Out of scope — findings about the agents Praxen analyses. If you run Praxen against an AI agent and Praxen reports a finding against that agent, that is normal output of the tool, not a vulnerability in Praxen. Please report those to the agent’s own maintainer, not here.

Reporting a vulnerability

Do not file a public GitHub issue for a security vulnerability. Public issues are indexed and broadcast immediately; that is the wrong channel for an unpatched defect.

Use GitHub’s private security advisory:

  1. Go to the Security tab on this repository.
  2. Click Report a vulnerability.
  3. Fill in the form. Include enough detail to reproduce — a minimal Praxen input, the observed output, and what you expected to differ. Attach the crafted findings JSON, remit, or repro script if applicable.

GitHub will create a private advisory thread between you and the project maintainers. We will respond there.

If GitHub Security Advisories are unavailable to you for any reason, email developer@exabeam.com with the subject line Praxen security report and the same level of detail.

What to expect

If you do not hear back from us within the windows above, please nudge the thread or escalate via the email address above.

Supported versions

Security fixes ship in the latest released 0.x line. Praxen is pre-1.0 and there is no LTS branch; please upgrade to the latest tagged release before reporting.

Version Receiving security fixes
Latest tagged release ✓ Yes — always upgrade to the newest release before reporting
Anything older than the latest release No — no back-porting while pre-1.0; no LTS branch yet
0.6.x and earlier (under the former name Praxa, at Exabeam/deckard) No — superseded by the rename, not maintained