a1e0adbed0
Tighten the web app ESLint scope so TypeScript source is checked without crawling bundled skill assets, and remove unused markdown and debounce dependencies. Clarify the security reporting flow and split code vs content licensing to reduce ambiguity for users and contributors.
22 lines
770 B
Markdown
22 lines
770 B
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
We track the `main` branch.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**DO NOT** open a public Issue for security exploits.
|
|
|
|
If you find a security vulnerability (for example, a skill that bypasses the "Authorized Use Only" check or executes malicious code without warning):
|
|
|
|
1. Open a **GitHub Private Advisory** on this repository so the report stays private during triage.
|
|
2. Include the affected path, reproduction steps, impact, and any suggested mitigation if you have one.
|
|
|
|
We aim to acknowledge security reports within 72 hours.
|
|
|
|
## Offensive Skills Policy
|
|
|
|
Please read our [Security Guardrails](docs/contributors/security-guardrails.md).
|
|
All offensive skills are strictly for **authorized educational and professional use only**.
|