My original message was more positive but after more looking into context, I am a bit more pessimistic.

Now I must admit though that I am little concerned by the fact that the vulnerability reporters tried multiple times to contact you but till no avail. This is not a good look at all and I hope you can fix it asap as you mention

I respect dax from the days of SST framework but this is genuinely such a bad look especially when they Reported on 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers...

Sure they reported the bug now but who knows what could have / might have even been happening as OpenCode was the most famous open source coding agent and surely more cybersec must have watched it, I can see a genuine possibility where something must have been used in the wild as well from my understanding from black hat adversaries

I think this means that we should probably run models in gvisor/proper sandboxing efforts.

Even right now, we don't know how many more such bugs might persist and can lead to even RCE.

Dax, This short attention would make every adversary look for even more bugs / RCE vulnerabilities right now as we speak so you only have a very finite time in my opinion. I hope things can be done as fast as possible now to make OpenCode more safer.

I've been curious how this project will grow over time, it seems to have taken the lead as the first open source terminal agent framework/runner, and definitely seems to be growing faster than any organization would/could/should be able to manage.

It really seems like the main focus of the project should be in how to organize the work of the project, rather than on the specs/requirements/development of the codebase itself.

What are the general recommendations the team has been getting for how to manage the development velocity? And have you looked into various anarchist organizational principles?

Why not just ask Claude to fix the security issues and make sure they don't happen again?

Good luck, and thank you for eating the accountability sandwich and being up front about what you're doing. That's not always easy to do, and it's appreciated!

Congrats on owning this, good job, respect

Respect for openness. Good work and good luck.

Its okay, if you can fix it soon, it should be fine.