Security fixes are expected on the actively maintained branch:
main
Older branches may receive fixes at maintainer discretion, but main is the supported target.
Please do not report security vulnerabilities in public issues or pull requests.
Instead:
- Open a private GitHub security advisory for this repository, if available.
- Include a clear description, impact, affected components, and reproduction steps.
- If possible, include a minimal proof of concept and any suggested remediation.
A useful report should include:
- affected component or path
- impact and attack scenario
- required privileges or assumptions
- steps to reproduce
- whether the issue is configuration-specific or generally exploitable
The project will aim to:
- acknowledge valid reports promptly
- reproduce and assess severity
- prepare a fix or mitigation
- credit reporters if they want public acknowledgement
This project includes:
- CLI tooling
- orchestration/runtime systems
- local and networked agent integrations
- TrackLens review surfaces
- MCP-related tooling and bridges
Vulnerabilities in any of those surfaces are in scope.