Please do not report security vulnerabilities through public GitHub issues.

Preferred path:

• use GitHub private vulnerability reporting for PatrickSys/workspine when it is available for this repository

Fallback path if private reporting is unavailable:

• contact the maintainer directly through @PatrickSys instead of opening a public issue

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix timeline: Depends on severity, but we aim for:
  • Critical: 24-48 hours
  • High: 1 week
  • Medium/Low: Next release

Security issues in the Workspine / gsdd-cli codebase that could:

• Execute arbitrary code on user machines
• Expose sensitive data (API keys, credentials)
• Compromise the integrity of generated plans/code

We appreciate responsible disclosure and will credit reporters in release notes (unless you prefer to remain anonymous).