| Version | Supported |
|---|---|
| 0.0.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Email security concerns to: security@agent-ready.org
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours of your report
- Initial Assessment: Within 5 business days
- Resolution Timeline: Depends on severity
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
When using agent-ready:
- API Keys: Never commit API keys or secrets to repositories
- Scanned Repositories: Only scan repositories you have permission to access
- Output Files:
readiness.jsonmay contain repository metadata - treat accordingly - Docker: Use official images and keep them updated
This security policy covers:
- The
agent-readyCLI tool - The agent-ready API service
- Official Docker images
- This GitHub repository
We appreciate responsible disclosure. Contributors who report valid security issues will be:
- Credited in release notes (unless anonymity preferred)
- Added to our security acknowledgments
agent-ready includes these security measures:
- Path Traversal Protection:
safePath()validates all file operations - ReDoS Protection:
safeRegex()validates regex patterns - No External API Calls: CLI scanning is entirely local
- Minimal Dependencies: Reduced attack surface
- TypeScript Strict Mode: Compile-time safety checks
We use Dependabot for automated security updates. Critical vulnerabilities in dependencies are addressed within 24 hours.