# Security Policy

## Supported Versions

| Version | Supported |
|---------|-----------|
| 5.1.x   | Yes       |
| < 5.0   | No        |

## Reporting a Vulnerability

If you discover a security vulnerability in this plugin, please report it responsibly.

**Do NOT open a public issue.** Instead:

1. Email: **security@fromaitochitta.com**
2. Include:
   - Description of the vulnerability
   - Steps to reproduce
   - Affected component (scanner, hook, agent, etc.)
   - Potential impact

**Response timeline:**
- Acknowledgment within 48 hours
- Assessment within 7 days
- Fix or mitigation within 30 days for confirmed vulnerabilities

## Scope

This policy covers:
- Hook scripts (`hooks/scripts/*.mjs`)
- Deterministic scanners (`scanners/*.mjs`)
- Scanner shared library (`scanners/lib/*.mjs`)
- Agent definitions (`agents/*.md`)
- Command definitions (`commands/*.md`)

Out of scope:
- The malicious-skill-demo fixture (intentionally vulnerable for testing)
- Knowledge base content (derived from published OWASP standards)
- Template files (output formatting only)

## Disclosure

Confirmed vulnerabilities will be disclosed after a fix is available, with credit to the reporter unless anonymity is requested.