Skip to content

Security: corbenicai/merlin-community

Security

SECURITY.md

Security Policy

Privacy

The merlin-lite binary makes zero network calls. The Python integration glue likewise makes no HTTP/HTTPS requests.

You can verify this yourself:

strings bin/merlin-lite-windows-x64.exe | grep -iE "http|wininet|winhttp"
grep -ri "urllib\|requests\|httpx" shared/ vscode/

Both return nothing.

Reporting a Vulnerability

If you discover a security vulnerability, please do not file a public issue.

Email: security@corbenic.ai

We aim to respond within 48 hours during European business hours. We commit to:

  1. Acknowledging your report
  2. Investigating and reproducing
  3. Releasing a fix or mitigation
  4. Crediting you (unless you prefer to remain anonymous)

In scope

  • Code-execution vulnerabilities in the Python install scripts
  • File-corruption bugs in the ledger or backup logic
  • Credential leakage in install / config code paths
  • MCP server JSON-RPC parsing issues

Out of scope

  • The compiled binary itself (separate disclosure process)
  • Physical-access attacks
  • Social engineering

There aren't any published security advisories