Please do not open a public issue for security vulnerabilities.
Report privately via GitHub's Security Advisories (Security → Report a vulnerability). We aim to acknowledge within 3 business days and to provide a remediation timeline after triage.
loadtest is a client-side load generator. The most relevant concerns:
- Credential handling. The tool sends whatever
Authorization/ headers you configure. Never commit real keys; pass them via-vkor environment variables. Shipped profiles use aREPLACE_WITH_VKplaceholder on purpose. - Output files.
results-*.jsonlandreport-*may contain prompt/response excerpts and error bodies (capture_error_body). Treat theruns/directory as potentially sensitive and exclude it from version control (it is git-ignored). - Dependencies. We track advisories on Go module dependencies and keep them current.
The latest tagged release receives security fixes.