| ▲ | thdxr 10 hours ago |
| hey maintainer here we've done a poor job handling these security reports, usage has grown rapidly and we're overwhelmed with issues we're meeting with some people this week to advise us on how to handle this better, get a bug bounty program funded and have some audits done |
|
| ▲ | Imustaskforhelp 9 hours ago | parent | next [-] |
| My original message was more positive but after more looking into context, I am a bit more pessimistic. Now I must admit though that I am little concerned by the fact that the vulnerability reporters tried multiple times to contact you but till no avail. This is not a good look at all and I hope you can fix it asap as you mention I respect dax from the days of SST framework but this is genuinely such a bad look especially when they Reported on 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers... Sure they reported the bug now but who knows what could have / might have even been happening as OpenCode was the most famous open source coding agent and surely more cybersec must have watched it, I can see a genuine possibility where something must have been used in the wild as well from my understanding from black hat adversaries I think this means that we should probably run models in gvisor/proper sandboxing efforts. Even right now, we don't know how many more such bugs might persist and can lead to even RCE. Dax, This short attention would make every adversary look for even more bugs / RCE vulnerabilities right now as we speak so you only have a very finite time in my opinion. I hope things can be done as fast as possible now to make OpenCode more safer. |
| |
| ▲ | thdxr 9 hours ago | parent [-] | | the email they found was from a different repo and not monitored. this is ultimately our fault for not having a proper SECURITY.md on our main repository the issue that was reported was fixed as soon as we heard about it - going through the process of learning about the CVE process, etc now and setting everything up correctly. we get 100s of issues reported to us daily across various mediums and we're figuring out how to manage this i can't really say much beyond this is my own inexperience showing | | |
| ▲ | varenc an hour ago | parent | next [-] | | Also consider putting a security.txt[0] file on your main domain, like here: https://opencode.ai/.well-known/security.txt I also just want to sympathize with the difficulty of spotting the real reports from the noise. For a time I helped manage a bug bounty program, and 95% of issues were long reports with plausible titles that ended up saying something like "if an attacker can access the user's device, they can access the user's device". Finding the genuine ones requires a lot of time and constant effort. Though you get a feel for it with experience. [0] https://en.wikipedia.org/wiki/Security.txt edit: I agree with the original report that the CORS fix, while a huge improvement, is not sufficient since it doesn't protect from things like malicious code running locally or on the network. edit2: Looks like you've already rolled out a password! Kudos. | |
| ▲ | Imustaskforhelp 5 hours ago | parent | prev | next [-] | | Thanks for providing additional context. I appreciate the fact that you are admitting fault where it is and that's okay because its human to make errors and I have full faith from your response that OpenCode will learn from its errors. I might try OpenCode now once its get patched or after seeing the community for a while. Wishing the best of luck for a more secure future of opencode! | |
| ▲ | euazOn 9 hours ago | parent | prev [-] | | I am also baffled at how long this vulnerability was left open, but I’m glad you’re at least making changes to hopefully avoid such mistakes in the future. Just a thought, have you tried any way to triage these reported issues via LLMs, or constantly running an LLM to check the codebase for gaping security holes? Would that be in any way useful? Anyway, thanks for your work on opencode and good luck. |
|
|
|
| ▲ | digdugdirk 10 hours ago | parent | prev | next [-] |
| I've been curious how this project will grow over time, it seems to have taken the lead as the first open source terminal agent framework/runner, and definitely seems to be growing faster than any organization would/could/should be able to manage. It really seems like the main focus of the project should be in how to organize the work of the project, rather than on the specs/requirements/development of the codebase itself. What are the general recommendations the team has been getting for how to manage the development velocity? And have you looked into various anarchist organizational principles? |
|
| ▲ | bopbopbop7 9 hours ago | parent | prev | next [-] |
| Why not just ask Claude to fix the security issues and make sure they don't happen again? |
| |
| ▲ | Y_Y 9 hours ago | parent | next [-] | | Talk about kicking someone while they're down... | |
| ▲ | Hamuko 9 hours ago | parent | prev | next [-] | | And if you don't have a Claude subscription, you can just ask your friends to fix them via the remote code execution server. | | |
| ▲ | reactordev 4 hours ago | parent [-] | | There goes my discord side hustle, offering Claude code through your OpenCode. |
| |
| ▲ | croes 7 hours ago | parent | prev [-] | | Who knows what created the issues in the first place place |
|
|
| ▲ | observationist 6 hours ago | parent | prev | next [-] |
| Good luck, and thank you for eating the accountability sandwich and being up front about what you're doing. That's not always easy to do, and it's appreciated! |
|
| ▲ | 8 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | heliumtera 9 hours ago | parent | prev | next [-] |
| Congrats on owning this, good job, respect |
| |
| ▲ | shimman 9 hours ago | parent [-] | | It's hard to not own it when it's publicly disclosed. Maybe save the accolades for when they actually do something and not just say something. | | |
| ▲ | tommica 8 hours ago | parent [-] | | [flagged] | | |
| ▲ | shimman 7 hours ago | parent [-] | | In my limited existence on this earth, talk is very cheap and actions should matter more. | | |
| ▲ | Gigachad 5 hours ago | parent [-] | | Good idea. Start sending in some PRs to contribute then. | | |
| ▲ | shimman 3 hours ago | parent [-] | | Unless they've recently invented a shitpost to typescript compiler, I'm afraid I'll have to devote my time elsewhere. |
|
|
|
|
|
|
| ▲ | 9 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | rtaylorgarlock 10 hours ago | parent | prev | next [-] |
| Respect for openness. Good work and good luck. |
|
| ▲ | falloutx 8 hours ago | parent | prev [-] |
| Its okay, if you can fix it soon, it should be fine. |
