The main branch is the supported release line. Security fixes land there first.
Please do not open public GitHub issues for suspected vulnerabilities.
Send reports through GitHub private security reporting or directly by email if a contact is listed on the maintainer profile. Include:
- affected skill and file path
- impact and attack scenario
- steps to reproduce
- proof-of-concept details if available
- whether secrets, credentials, or customer data were involved
- initial acknowledgment target: 48 hours
- remediation triage target: 7 business days
- coordinated disclosure after a fix or mitigation is available
- never commit credentials, tokens, or customer data
- source runtime secrets from AWS Secrets Manager, SSM Parameter Store, Vault, or workload identity
- prefer federation and short-lived credentials over static passwords or long-lived API tokens
- keep CSPM execution roles read-only unless the skill is explicitly remediation-oriented
- run CI checks before merging changes that affect IAM, cloud auth, or infrastructure templates
- keep S3 artifacts KMS-encrypted and scope cross-account trust by
aws:PrincipalOrgID