Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Please do not open a public GitHub issue for security vulnerabilities.

Report security issues privately to:

Vish: https://vish.au

Include:

affected version
reproduction steps
impact assessment
any suggested mitigation

Response Goals

Initial acknowledgement: within 5 business days
Triage and severity assessment: as soon as reasonably possible
Fix and disclosure timing: coordinated based on impact

Scope

This policy covers:

prompt-injection bypasses
secret leakage
policy-pack bypasses
unsafe tool execution paths
audit-trail tampering

There aren't any published security advisories