title
Security Policy
summary
Vulnerability reporting policy and security measures for the project
audience
user
security-researcher
contributor
topics
security
vulnerabilities
reporting
disclosure
prerequisites
related
docs/adr/0005-security-scanning.md
last_validated
2026-01-09
Version
Supported
1.x.x
✅
< 1.0
❌
Reporting a Vulnerability We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Do NOT create a public GitHub issue for security vulnerabilitiesUse GitHub Security Advisories to report privately
Include as much detail as possible:
Description of the vulnerability
Steps to reproduce
Potential impact
Suggested fix (if any)
Acknowledgement: Within 48 hours of your reportInitial Assessment: Within 7 daysResolution Timeline: Depends on severity
Critical: 7 days
High: 14 days
Medium: 30 days
Low: 90 days
We follow coordinated disclosure
We will credit reporters in release notes (unless anonymity is requested)
We request 90 days before public disclosure to allow time for a fix
This project implements multiple layers of security:
Pre-commit: Secret scanning with secretlintPush protection: GitHub Secret ScanningSAST: GitHub CodeQL analysisDependencies: Dependabot alerts and updatesCI: Vulnerability scanning in pull requests
The following are in scope for security reports:
The claude-auto-resume CLI tool
Build and release pipelines
Documentation website
The following are out of scope:
Third-party dependencies (report to maintainers directly)
Social engineering attacks
Denial of service attacks