If you believe you’ve found a security vulnerability, do not open a public issue.

Report privately via GitHub Security Advisories: • https://github.com/aido-dev/aido/security/advisories/new

We will:

• Acknowledge receipt within 5 days.
• Triage and assess impact within 7 days.
• Work on a fix and coordinated disclosure timeline.
• Credit reporters who request it (optional).

Please include (sanitized):

• A high-level summary and affected area(s).
• Reproduction steps in the smallest possible scope.
• Version / commit SHA, relevant workflow/script names.
• Impact assessment (confidentiality/integrity/availability).

Do not include:

• Live secrets, private keys, tokens, or PII.
• Exploit details in public pull requests or issues.
• Screenshots or logs with sensitive data.

Supported versions:

• Main branch (HEAD) and the latest tagged release(s).

Coordinated disclosure:

• We’ll release a fix, publish an advisory, and (optionally) credit the reporter.
• Please avoid public disclosure until a patch is available.

Thank you for helping keep Aido and its users safe.