If you discover a security vulnerability in the AIKP protocol specification or reference artifacts, please report it responsibly through GitHub's private security advisory channel:

Report a vulnerability on GitHub

This keeps the report private until a fix is released and coordinated disclosure is complete.

Please include:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact assessment
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution Plan: Within 14 days

This security policy covers:

• The AIKP protocol specification (specification/AIKP_Protocol_cn.md and the English specification/AIKP_Protocol.md)
• The canonical enum registry (specification/registry_cn.md)
• The JSON Schemas (schemas/) and examples (examples/)
• Official documentation in docs/ and docs_cn/

AIKP is a knowledge-organization layer, not a complete solution. The following are documented honest limits, not vulnerabilities:

• Knowledge poisoning is detected and governed, not prevented — see AIKP_Protocol_cn.md §24.
• No-VCS deployments have no history / rollback — version history and durable backup are delegated to the host VCS (local git) and off-site copies, not reinvented by AIKP — see 04 §3.5/§4.
• Provenance/conflict judgment is delegated to the implementation (typically an LLM); AIKP defines the data landing points, not the detector — see AIKP_Protocol_cn.md §19.5.

We follow a coordinated disclosure process. Please do not publicly disclose vulnerabilities until a fix has been released and announced.

Align Axiom 0: Human Sovereignty and Wellbeing. AIKP v0.1.0. www.aikp.dev