Skip to main content
Devin Desktop takes the security of our products and services seriously. If you believe you have found a security vulnerability in any Devin Desktop-owned services, please report it to us as described below.

Reporting Security Issues

Please do not report security vulnerabilities through public GitHub issues. Instead, please report them via email to security@windsurf.com Please include the following information in your report including as much technical detail as possible:
  • Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
  • The location of the affected source code (if applicable)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit it
  • Any other relevant information
This information will help us triage your report more quickly. Please compile all information into a single email, encrypted with our public GPG key, include the name of the affected product, and the version of the product affected (if known).

Public GPG Key

Policy

Devin Desktop follows the principle of Coordinated Vulnerability Disclosure.

Safe Harbor

Devin Desktop supports safe harbor for security researchers who:
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Only interact with accounts you own or with explicit permission of the account holder
  • Do not exploit a security issue you discover for any reason other than testing
  • Report any vulnerability you’ve discovered promptly
  • Follow the guidelines outlined in this document
We will not take legal action against you or administrative action against your account if you act according to this policy. Last updated: December 10, 2024