llm-security/SECURITY.md
Kjell Tore Guttormsen f153f969a0 feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command
Add /ultraresearch-local for structured research combining local codebase
analysis with external knowledge via parallel agent swarms. Produces research
briefs with triangulation, confidence ratings, and source quality assessment.

New command: /ultraresearch-local with modes --quick, --local, --external, --fg.
New agents: research-orchestrator (opus), docs-researcher, community-researcher,
security-researcher, contrarian-researcher, gemini-bridge (all sonnet).
New template: research-brief-template.md.

Integration: --research flag in /ultraplan-local accepts pre-built research
briefs (up to 3), enriches the interview and exploration phases. Planning
orchestrator cross-references brief findings during synthesis.

Design principle: Context Engineering — right information to right agent at
right time. Research briefs are structured artifacts in the pipeline:
ultraresearch → brief → ultraplan --research → plan → ultraexecute.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 08:58:35 +02:00

1.2 KiB

Security Policy

Supported Versions

Version Supported
3.0.x Yes
< 3.0 No

Reporting a Vulnerability

If you discover a security vulnerability in this plugin, please report it responsibly.

Do NOT open a public issue. Instead:

  1. Email: security@fromaitochitta.com
  2. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Affected component (scanner, hook, agent, etc.)
    • Potential impact

Response timeline:

  • Acknowledgment within 48 hours
  • Assessment within 7 days
  • Fix or mitigation within 30 days for confirmed vulnerabilities

Scope

This policy covers:

  • Hook scripts (hooks/scripts/*.mjs)
  • Deterministic scanners (scanners/*.mjs)
  • Scanner shared library (scanners/lib/*.mjs)
  • Agent definitions (agents/*.md)
  • Command definitions (commands/*.md)

Out of scope:

  • The malicious-skill-demo fixture (intentionally vulnerable for testing)
  • Knowledge base content (derived from published OWASP standards)
  • Template files (output formatting only)

Disclosure

Confirmed vulnerabilities will be disclosed after a fix is available, with credit to the reporter unless anonymity is requested.