Do not report security vulnerabilities through public GitHub issues.

Use GitHub Security Advisories to report privately, or reach out via the WebdriverIO Discord.

Include: description, steps to reproduce, affected packages, and suggested fix if any.

This project is a testing framework, not production runtime software. The following are not security vulnerabilities:

• Issues in applications being tested
• Local privilege escalation during test execution (tests run with user privileges by design)
• Information disclosure in test logs (test output is controlled by the user)
• CDP/WebDriver protocol exposure during test runs (this is how the tools work)

• Do not commit test artifacts containing sensitive data
• Avoid real credentials in mock configurations — use CN_API_KEY and similar secrets via environment variables, never in config files
• Ensure test environments are isolated from production
• Only test application binaries from trusted sources

Dependabot, CodeQL, and pnpm audit run in CI. Dependency vulnerabilities are addressed based on severity in the next appropriate release.