| Version | Supported |
|---|---|
| 0.1.x | Yes |
| < 0.1 | No |
Please do not report security vulnerabilities via public GitHub issues.
Instead, email us directly:
Include as much of the following as possible:
- Type of issue (e.g. code injection, insecure deserialization, path traversal)
- Full paths of source file(s) related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Reproduction steps
- Proof-of-concept or exploit code (if possible)
- Impact of the issue
| Milestone | Target |
|---|---|
| Acknowledge receipt | 48 hours |
| Confirm and assess severity | 5 business days |
| Patch for critical/high issues | 14 days |
| Public disclosure (after patch) | Coordinated with reporter |
This policy covers the following packages:
@agentspec/sdk@agentspec/cli@agentspec/adapter-langgraph
- Issues in third-party dependencies (report to the relevant project)
- Issues that require physical access to a machine
- Social engineering attacks