Security

Report a vulnerability

SECURITY.md

Security Policy

Supported Scope

Security reports are accepted for:

Root repository files and workflows
Plugin manifests and plugin packaging metadata
Plugin commands, skills, and automation logic
Any file that may affect command execution, data handling, or publish flow

Reporting a Vulnerability

Please report security vulnerabilities privately by email:

nuno.salvacao@gmail.com

Include:

Affected file(s) and component(s)
Clear reproduction steps
Potential impact
Suggested mitigation (if available)

Please do not open public issues for unpatched vulnerabilities.

Response Targets

Initial acknowledgment: within 72 hours
Triage outcome: within 7 days
Fix or mitigation plan: as soon as reasonably possible, based on severity

Disclosure Policy

Once a fix is available, maintainers may publish:

A summary of the vulnerability
Impacted versions/components
Recommended upgrade or mitigation path

There aren't any published security advisories