62a9335772
No behavior changes. Sets the public stance, tightens documentation, and removes coherence drift so anyone forking or downloading the plugin gets a consistent starting point. Added: - CONTRIBUTING.md — public fork-and-own guide. Why PRs are not accepted, how to fork well, what is welcome via issues. - README "Project scope" section — out-of-scope table naming what is fork-and-own territory (web dashboard, fleet policy, runtime firewall, IDE LSP, compliance pack, ticketing, multi-tenancy, ML detectors, marketplace UI, SSO/SCIM/RBAC) with commercial alternatives. - package.json: bugs.url, CONTRIBUTING/SECURITY/CHANGELOG in files whitelist for npm publishing. Changed: - SECURITY.md rewritten. Supported-versions table from stale 5.1.x to current reality (7.3.x active, 7.0-7.2 best-effort, <7.0 EOL). Best-effort solo response timeline. Scope expanded to bin/. - Scanner VERSION constants synced to plugin version. Was 6.0.0 in dashboard-aggregator and posture-scanner. - package.json repository.url corrected from fromaitochitta/ to open/. - README "Feedback & contributing" links to CONTRIBUTING.md. Fixed: - pre-compact-scan size-cap timing test ceiling raised 500ms -> 1000ms. Was a flake on Intel Mac and CI under load. Design target unchanged (<500ms, documented in CLAUDE.md). Notes: - First patch on the stabilization line (post-2026-05-01). - Wave E attack-simulator scenarios deferred indefinitely; coverage remains at 72. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2.7 KiB
Security Policy
Supported versions
This is a solo-maintained open-source project. "Supported" here means the
maintainer will look at security reports — not that there is an SLA, paid
support, or backporting policy. Forks are encouraged for organizations that
need stronger guarantees (see CONTRIBUTING.md).
| Version | Status |
|---|---|
| 7.3.x | Active. Bug + security fixes. Stabilization line. |
| 7.0.x – 7.2.x | Best-effort security fixes only. Upgrade to 7.3.x recommended. |
| < 7.0 | End of life. No fixes. |
The project is in stabilization mode as of 2026-05-01. New features are
out of scope (see "Project scope" in README.md). Security and
correctness fixes continue.
Reporting a vulnerability
If you discover a security vulnerability in this plugin, please report it responsibly.
Do NOT open a public issue. Instead:
- Email: security@fromaitochitta.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Affected component (scanner, hook, agent, command, knowledge file)
- Potential impact
- Whether you have a proof-of-concept (encrypted attachment is fine)
Response timeline (best-effort, solo project):
- Acknowledgment within 7 days
- Triage and severity classification within 14 days
- Fix or documented mitigation within 30 days for confirmed High/Critical findings; Medium and Low scheduled into the next regular release
If the report touches a vulnerability the project explicitly cannot defend against (see "Defense philosophy" and "What this plugin does NOT cover" in the README — e.g., adaptive ML-based prompt injection bypass), the response will explain why it is out of scope rather than leaving the report open.
Scope
This policy covers:
- Hook scripts (
hooks/scripts/*.mjs) - Deterministic scanners (
scanners/*.mjs) - Scanner shared library (
scanners/lib/*.mjs) - Agent definitions (
agents/*.md) - Command definitions (
commands/*.md) - CLI entry point (
bin/llm-security.mjs)
Out of scope:
- The malicious-skill-demo fixture (
examples/malicious-skill-demo/) — intentionally vulnerable for testing - Knowledge base content (derived from published OWASP standards and cited research)
- Template files (output formatting only, not part of the security boundary)
- Forks under other names — please report there, not here
Disclosure
Confirmed vulnerabilities will be disclosed in the CHANGELOG after a fix is available, with credit to the reporter unless anonymity is requested.
For coordinated disclosure with downstream forks: include the maintainer email above and the maintainer of the fork in the same thread.