This root policy covers repository-level reporting and disclosure flow. Runtime hardening and operational controls are documented in:
backend/agent/SECURITY.md
- Do not open public issues for security vulnerabilities.
- Open a private advisory:
Include:
- affected version/commit
- impact and severity estimate
- reproduction steps
- suggested mitigation (if available)
Target initial maintainer response: within 48 hours.