Legal

Ghostbox Security

Ghostbox creates temporary development machines using third-party infrastructure.

Security model

Ghostbox is meant to reduce local blast radius by letting you run work somewhere temporary instead of directly on your laptop.

It is not a guarantee that code, agents, packages, scripts, tunnels, secrets, or third-party services are safe.

Recommendations

• Use a dedicated private GitHub control-plane repository.
• Expose only the secrets required for a task.
• Prefer short TTLs.
• Review scripts before using --user-script.
• Treat coding agents as untrusted automation.
• Avoid running production secrets or regulated workloads unless you understand the risks.
• Use ghost down and ghost prune when finished.
• Rotate secrets if you suspect exposure.

Reporting security issues

Please do not open public issues for security vulnerabilities.

Send security reports privately to DO-SAY-GO.

Include the affected version, operating system, command used, expected behavior, observed behavior, and logs or reproduction steps with secrets removed.

Scope

In scope:

• Ghostbox CLI behavior;
• official Ghostbox release binaries;
• installer behavior;
• handling of local configuration and machine metadata;
• accidental exposure caused by Ghostbox itself.

Out of scope:

• vulnerabilities in GitHub, Cloudflare, Tor, OpenAI, Anthropic, Google, package registries, or other third-party services;
• malicious code, packages, scripts, or agents run by the user;
• exposed user secrets caused by user configuration;
• expired, rate-limited, suspended, or unavailable third-party infrastructure.

Safe harbor

If you make a good-faith effort to report a vulnerability privately, avoid privacy violations, avoid destruction of data, avoid service disruption, and do not access secrets or data that are not yours, DO-SAY-GO will not pursue legal action against you for the report.