Runway executes user-provided code. Treat every deployment as untrusted-workload infrastructure and isolate workers appropriately for your environment.

Please do not report security vulnerabilities through public GitHub issues.

Follow the JetBrains coordinated disclosure policy: https://www.jetbrains.com/legal/docs/terms/coordinated-disclosure/.

Please include:

• A clear description of the vulnerability.
• Steps to reproduce or a proof of concept.
• The affected component: service, Python worker, Helm chart, docs, or examples.
• Any relevant deployment details, such as Kubernetes runtime isolation, NetworkPolicy, ingress exposure, and image versions.

The maintainers will acknowledge the report, investigate it, and coordinate any fix and disclosure timeline through a private channel.

• Run workers in an isolated environment appropriate for untrusted code.
• Prefer a sandboxing runtime such as gVisor where available.
• Keep worker egress restricted with NetworkPolicy.
• Do not expose Runway directly to untrusted users without authentication, authorization, rate limits, and resource limits suitable for your deployment.
• Keep service, worker, NATS, and Helm chart dependencies up to date.