| Version | Supported |
|---|---|
| 1.9.x | ✅ |
| 1.8.x | ✅ |
| < 1.8 | ❌ |
If you discover a security vulnerability in ECC, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email [email protected] with:
- A description of the vulnerability
- Steps to reproduce
- The affected version(s)
- Any potential impact assessment
You can expect:
- Acknowledgment within 48 hours
- Status update within 7 days
- Fix or mitigation within 30 days for critical issues
If the vulnerability is accepted, we will:
- Credit you in the release notes (unless you prefer anonymity)
- Fix the issue in a timely manner
- Coordinate disclosure timing with you
If the vulnerability is declined, we will explain why and provide guidance on whether it should be reported elsewhere.
This policy covers:
- The ECC plugin and all scripts in this repository
- Hook scripts that execute on your machine
- Install/uninstall/repair lifecycle scripts
- MCP configurations shipped with ECC
- The AgentShield security scanner (github.com/affaan-m/agentshield)
- AgentShield: Scan your agent config for vulnerabilities —
npx ecc-agentshield scan - Security Guide: The Shorthand Guide to Everything Agentic Security
- OWASP MCP Top 10: owasp.org/www-project-mcp-top-10
- OWASP Agentic Applications Top 10: genai.owasp.org