Do not open a public issue for a suspected security problem.
Instead, contact the maintainer privately with:
- a clear description of the issue
- affected files or areas
- reproduction steps or proof of concept
- impact assessment if known
Use a private channel you already have with the maintainer. If none exists, open a minimal public issue asking for a private contact path without disclosing the vulnerability details.
Security reports will be reviewed as time permits. Initial acknowledgment is best effort rather than guaranteed.
This policy covers:
- workspace-level scripts and templates
- workspace documentation that could cause unsafe usage
- the vendored
repos/workspace-hub/application
It does not cover third-party repositories stored under repos/ unless the issue is caused by workspace-owned tooling or metadata.