1.2 KiB
1.2 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 3.0.x | Yes |
| < 3.0 | No |
Reporting a Vulnerability
If you discover a security vulnerability in this plugin, please report it responsibly.
Do NOT open a public issue. Instead:
- Email: security@fromaitochitta.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Affected component (scanner, hook, agent, etc.)
- Potential impact
Response timeline:
- Acknowledgment within 48 hours
- Assessment within 7 days
- Fix or mitigation within 30 days for confirmed vulnerabilities
Scope
This policy covers:
- Hook scripts (
hooks/scripts/*.mjs) - Deterministic scanners (
scanners/*.mjs) - Scanner shared library (
scanners/lib/*.mjs) - Agent definitions (
agents/*.md) - Command definitions (
commands/*.md)
Out of scope:
- The malicious-skill-demo fixture (intentionally vulnerable for testing)
- Knowledge base content (derived from published OWASP standards)
- Template files (output formatting only)
Disclosure
Confirmed vulnerabilities will be disclosed after a fix is available, with credit to the reporter unless anonymity is requested.