Security

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report security vulnerabilities through one of the following channels:

Email: security@agentlens.dev
GitHub Private Vulnerability Reporting (Security Advisory draft)

Do not open public issues for security vulnerabilities.

Response Timeline

We will acknowledge receipt within 48 hours.
We will investigate, assess impact, and provide status updates during triage.
We will coordinate disclosure details once a fix is available.

Scope

In-scope vulnerabilities include, but are not limited to:

Remote code execution or arbitrary command execution
Authentication or authorization bypass
Sensitive data exposure
Dependency or supply-chain risks with exploitable impact
CI/CD workflow security vulnerabilities

Out-of-scope items generally include:

Self-XSS requiring unlikely user action
Social engineering or phishing attacks
Issues only affecting unsupported versions

We appreciate responsible disclosure that helps keep AgentLens users safe.

There aren’t any published security advisories