In general, we've taken the stance of not making any network calls beyond any model APIs your specifically set.

BAML runs 100% locally with no internet dependency. The BAML VSCode Playground runs completely sandboxed in the web container inside of VSCode running on localhost.

Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!

Boundary takes security issues very seriously. If you have any concerns about BAML or believe you have uncovered a vulnerability, please get in touch via the e-mail address [email protected]. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.

Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.