96d4d3ee45
- llm-security SECURITY.md: update supported versions 3.0.x → 5.1.x - config-audit plugin.json: add license, repository, keywords - Add root CLAUDE.md with repo structure and conventions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
44 lines
1.2 KiB
Markdown
44 lines
1.2 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
|---------|-----------|
|
|
| 5.1.x | Yes |
|
|
| < 5.0 | No |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you discover a security vulnerability in this plugin, please report it responsibly.
|
|
|
|
**Do NOT open a public issue.** Instead:
|
|
|
|
1. Email: **security@fromaitochitta.com**
|
|
2. Include:
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Affected component (scanner, hook, agent, etc.)
|
|
- Potential impact
|
|
|
|
**Response timeline:**
|
|
- Acknowledgment within 48 hours
|
|
- Assessment within 7 days
|
|
- Fix or mitigation within 30 days for confirmed vulnerabilities
|
|
|
|
## Scope
|
|
|
|
This policy covers:
|
|
- Hook scripts (`hooks/scripts/*.mjs`)
|
|
- Deterministic scanners (`scanners/*.mjs`)
|
|
- Scanner shared library (`scanners/lib/*.mjs`)
|
|
- Agent definitions (`agents/*.md`)
|
|
- Command definitions (`commands/*.md`)
|
|
|
|
Out of scope:
|
|
- The malicious-skill-demo fixture (intentionally vulnerable for testing)
|
|
- Knowledge base content (derived from published OWASP standards)
|
|
- Template files (output formatting only)
|
|
|
|
## Disclosure
|
|
|
|
Confirmed vulnerabilities will be disclosed after a fix is available, with credit to the reporter unless anonymity is requested.
|