We release patches for security vulnerabilities in the following versions:

If you discover a security vulnerability within the AL Development Collection, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities.

Send a detailed report via GitHub Security Advisory or email to javiarmesto [at] gmail.com

Include in your report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (if available)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: Within 7 days
  • High: Within 30 days
  • Medium/Low: Next scheduled release

1. We will confirm receipt of your report
2. We will investigate and validate the issue
3. We will develop and test a fix
4. We will release a security patch
5. We will publicly acknowledge your contribution (if desired)

When using this collection:

1. Review Instructions: Always review auto-applied instructions before accepting generated code
2. Validate Prompts: Verify that prompts match your security requirements
3. Sensitive Data: Never include credentials, tokens, or sensitive data in instruction files
4. Access Control: Use GitHub's access controls for private repositories
5. Dependencies: Keep dependencies updated (run npm audit regularly)

This security policy applies to:

• All instruction files (.instructions.md)
• All agentic workflows (.prompt.md)
• All agents (.agent.md)
• Collection manifest files
• Validation scripts

• Issues with GitHub Copilot itself (report to GitHub)
• Issues with VS Code (report to Microsoft)
• Microsoft Dynamics 365 Business Central vulnerabilities (report to Microsoft)
• General AL development questions (use Discussions instead)

We appreciate responsible disclosure and will acknowledge security researchers who help improve the security of this project.

Thank you for helping keep the AL Development Collection and our users safe!