The AEGIS™ project takes security seriously. We appreciate your efforts to responsibly disclose security concerns.

This security policy covers all repositories in the aegis-initiative organization, including:

• Specifications and RFCs — Design flaws or security issues in the architecture
• Reference implementations — Vulnerabilities in runtime code or examples
• Governance protocols — Issues with AGP message handling or validation
• Schema definitions — Validation bypasses or injection vulnerabilities
• Infrastructure — CI/CD, deployment, and operational security concerns

Please do not report security vulnerabilities through public GitHub issues.

Instead, use one of the following methods:

1. GitHub Private Vulnerability Reporting: Use the "Report a security vulnerability" link in the relevant repository's Issues tab
2. Email: Contact the project maintainer through GitHub with "SECURITY" in the subject line

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested remediation (if available)
• Your contact information for follow-up

We aim to respond to security reports within:

• Initial acknowledgment: 48 hours
• Impact assessment: 5 business days
• Remediation plan: 10 business days for critical issues

We follow a coordinated disclosure model:

1. Security issue is reported privately
2. Maintainers investigate and develop a fix
3. Fix is released and tested
4. Public disclosure occurs after fix is available

We request that you:

• Allow reasonable time for remediation before public disclosure
• Act in good faith to avoid privacy violations or service disruption

Do not exploit the vulnerability beyond what is necessary for demonstration

The following are known security considerations specific to the aegis-governance repository:

• The governance process may involve sensitive information. Contributors should avoid sharing confidential or personally identifiable information in public issues or pull requests.
• All security-related discussions should be conducted in accordance with the project's confidentiality guidelines.

When proposing changes to AEGIS™ specifications:

• Consider adversarial scenarios and bypass attempts
• Document security implications in RFC proposals
• Evaluate impact on deterministic enforcement guarantees
• Review threat model alignment

When building AEGIS™-compliant systems:

• Validate all protocol messages according to schemas
• Implement proper authentication and authorization
• Use secure defaults (default-deny policies)
• Follow principle of least privilege for capabilities
• Enable comprehensive audit logging
• Test failure modes and error handling
• Review third-party dependencies regularly

Security updates will be published through:

• GitHub Security Advisories
• Release notes with [SECURITY] prefix
• Updates to relevant RFC specifications

Thank you for helping keep AEGIS™ secure.

AEGIS™ and "Capability without constraint is not intelligence™" are trademarks of Finnoybu IP LLC.