Only the latest release on the main branch receives security updates.

Do not open a public GitHub issue for security vulnerabilities.

Preferred channel — GitHub's private Security Advisory flow:

1. Open https://github.com/bobinson/vulture/security/advisories/new
2. Fill in the form (title, severity, affected versions, description, PoC, suggested fix).
3. Submit; only repository security managers see the advisory until it is published.

This routes through GitHub's encrypted infrastructure, gives us a private collaboration thread with you, and produces a CVE assignment if the advisory is published. If GitHub's flow is unavailable to you, open a regular issue containing only the words "security report available, please contact me privately" and a maintainer will reach out via your GitHub-registered email.

• A description of the vulnerability and its potential impact.
• Steps to reproduce the issue or a proof-of-concept.
• The affected component(s) (backend, agents, frontend, CLI).
• The version or commit hash where the issue was observed.
• Any suggested fix or mitigation, if available.

We will work with you to understand and validate the report. Critical and high-severity issues will be prioritized for immediate remediation.

We follow a coordinated disclosure process. We ask that you do not publicly disclose the vulnerability until we have released a fix and provided a reasonable window for users to update.

The following components are in scope for security reports:

• Go backend (backend/)
• Python audit agents (agents/)
• Frontend application (frontend/)
• CLI tool (cli/)
• Docker and deployment configurations

• Never commit secrets, API keys, or credentials to the repository.
• Use the .env.example template for configuration; never commit .env files.
• Report any accidentally exposed credentials immediately.