llm-security/SECURITY.md
Kjell Tore Guttormsen f153f969a0 feat(ultraplan-local): v1.6.0 — /ultraresearch-local deep research command
Add /ultraresearch-local for structured research combining local codebase
analysis with external knowledge via parallel agent swarms. Produces research
briefs with triangulation, confidence ratings, and source quality assessment.

New command: /ultraresearch-local with modes --quick, --local, --external, --fg.
New agents: research-orchestrator (opus), docs-researcher, community-researcher,
security-researcher, contrarian-researcher, gemini-bridge (all sonnet).
New template: research-brief-template.md.

Integration: --research flag in /ultraplan-local accepts pre-built research
briefs (up to 3), enriches the interview and exploration phases. Planning
orchestrator cross-references brief findings during synthesis.

Design principle: Context Engineering — right information to right agent at
right time. Research briefs are structured artifacts in the pipeline:
ultraresearch → brief → ultraplan --research → plan → ultraexecute.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 08:58:35 +02:00

44 lines
1.2 KiB
Markdown

# Security Policy
## Supported Versions
| Version | Supported |
|---------|-----------|
| 3.0.x | Yes |
| < 3.0 | No |
## Reporting a Vulnerability
If you discover a security vulnerability in this plugin, please report it responsibly.
**Do NOT open a public issue.** Instead:
1. Email: **security@fromaitochitta.com**
2. Include:
- Description of the vulnerability
- Steps to reproduce
- Affected component (scanner, hook, agent, etc.)
- Potential impact
**Response timeline:**
- Acknowledgment within 48 hours
- Assessment within 7 days
- Fix or mitigation within 30 days for confirmed vulnerabilities
## Scope
This policy covers:
- Hook scripts (`hooks/scripts/*.mjs`)
- Deterministic scanners (`scanners/*.mjs`)
- Scanner shared library (`scanners/lib/*.mjs`)
- Agent definitions (`agents/*.md`)
- Command definitions (`commands/*.md`)
Out of scope:
- The malicious-skill-demo fixture (intentionally vulnerable for testing)
- Knowledge base content (derived from published OWASP standards)
- Template files (output formatting only)
## Disclosure
Confirmed vulnerabilities will be disclosed after a fix is available, with credit to the reporter unless anonymity is requested.