We release security updates for the following versions of cursor-handbook:

If you discover a security vulnerability in cursor-handbook, please report it responsibly.

• Do NOT open a public GitHub issue for security vulnerabilities.
• Use GitHub's private vulnerability reporting (Security tab → Report a vulnerability).

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

Security issues in cursor-handbook include:

• Rules that could lead to secrets exposure
• Agents that could execute destructive operations
• Hooks that bypass security guardrails
• MCP configurations that allow unauthorized access

• Cursor IDE itself — report to Cursor
• AI model behavior — report to the model provider
• Configuration mistakes in a user's project.json — not a vulnerability in this repo

cursor-handbook includes built-in security guardrails:

• Secrets detection rules (no hardcoded API keys, passwords, tokens)
• PII protection rules (no PII in logs)
• Destructive command blocking (e.g. via shell-guard hook)
• Input validation requirements in handler patterns
• Parameterized-query and soft-delete database rules