Only the latest version on the main branch receives security updates.

To report a security vulnerability, please use GitHub Security Advisories.

Do not open a public issue for security vulnerabilities.

Security issues include:

• Bypass of the confirmation gate allowing unauthorized execution
• Audit log tampering or deletion
• Policy bypass vulnerabilities
• Information disclosure through the gate interface

Out of scope:

• Issues in systems that integrate with the stewardship layer
• Denial of service through excessive proposals
• Social engineering of human stewards

• Acknowledgment: Within 3 business days
• Initial assessment: Within 7 business days
• Resolution target: Depends on severity; critical issues prioritized