We take the security of EZ Agents seriously. If you believe you've found a security vulnerability, please follow these guidelines.

Preferred Method: Email us at [security email]

Alternative: Create a draft security advisory

Please provide as much information as possible:

1. Description — Detailed description of the vulnerability
2. Impact — What an attacker could achieve
3. Reproduction Steps — Step-by-step instructions to reproduce
4. Affected Versions — Which versions are affected
5. Suggested Fix — If you have one (optional)

• Within 48 hours — Initial acknowledgment
• Within 7 days — Preliminary assessment
• Within 30 days — Fix developed or mitigation plan
• Within 90 days — Public disclosure (coordinated)

AI Runtime Security:

• Use official AI runtimes (Claude Code, Qwen Code, etc.)
• Keep runtimes updated
• Review agent permissions
• Don't share API keys

Project Security:

• Use .env files for secrets (never commit)
• Enable branch protection
• Review generated code before deploying
• Run security audits (npm audit)

Deployment Security:

• Use production environment variables
• Enable HTTPS
• Implement rate limiting
• Monitor for anomalies

Code Security:

• No hardcoded secrets
• Validate all inputs
• Use parameterized queries
• Implement proper error handling
• Follow OWASP guidelines

Dependency Security:

• Keep dependencies updated
• Review security advisories
• Use npm audit before submitting PRs
• Pin dependency versions

Authentication:

• JWT with refresh rotation
• HttpOnly cookies
• CSRF protection
• Session management

Authorization:

• Role-based access control (RBAC)
• Permission checks
• Resource ownership validation

Data Protection:

• Input validation
• Output encoding
• SQL injection prevention
• XSS prevention

CI/CD Security:

• Dependency scanning
• Code analysis
• Secret detection
• Container scanning

Pre-commit Hooks:

• Secret scanning
• Code formatting
• Linting

1. AI-Generated Code — Review before deploying
2. Third-Party Dependencies — Monitor for vulnerabilities
3. Configuration Files — Secure your .env files

1. Code Review — Always review AI-generated code
2. Dependency Updates — Regular npm update
3. Environment Security — Use .env.example pattern

• OWASP Top 10
• Node.js Security Best Practices
• GitHub Security Features

• npm audit — Dependency auditing
• eslint-plugin-security — Security linting
• snyk — Vulnerability scanning

• GitHub Security Advisories — Subscribe for notifications
• Release Notes — Security fixes documented in changelog
• Email — Critical vulnerabilities announced via email

# Check for updates
npm view @howlil/ez-agents version

# Update EZ Agents
npm install -g @howlil/ez-agents@latest

# Verify installation
ez-agents --version

We follow responsible disclosure practices:

1. Reporter — Reports vulnerability privately
2. Maintainers — Develop fix privately
3. Reporter — Validates fix (optional)
4. Public — Coordinated disclosure after fix available

We acknowledge security researchers who responsibly disclose vulnerabilities (with permission).

Security Team: [security email] PGP Key: [PGP key if available]

For non-security issues: Use GitHub Issues

Last Updated: March 28, 2026 Policy Version: 1.0