# Security Policy

## Supported Versions

We track the `main` branch.

## Reporting a Vulnerability

**DO NOT** open a public Issue for security exploits.

If you find a security vulnerability (for example, a skill that bypasses the "Authorized Use Only" check or executes malicious code without warning):

1. Open a **GitHub Private Advisory** on this repository so the report stays private during triage.
2. Include the affected path, reproduction steps, impact, and any suggested mitigation if you have one.

We aim to acknowledge security reports within 72 hours.

## Offensive Skills Policy

Please read our [Security Guardrails](docs/contributors/security-guardrails.md).
All offensive skills are strictly for **authorized educational and professional use only**.