This policy covers every published AGLedger package: @agledger/sdk, @agledger/cli, @agledger/mcp-server, @agledger/verify-core, @agledger/verify (npm), and agledger (PyPI).

If you discover a security vulnerability in an AGLedger package, please report it responsibly through either channel:

• GitHub — use this repository's "Report a vulnerability" button (Security → Advisories) for private, coordinated disclosure.
• Email — security@agledger.ai

Please include a description, steps to reproduce, the potential impact, and a suggested fix if you have one. We acknowledge receipt within 48 hours and will provide a remediation timeline.

AGLedger is pre-1.0. The latest published minor of each package receives security fixes; older minors are patched at our discretion. Please upgrade to the latest release before reporting.

We follow coordinated disclosure. Please allow up to 90 days for a fix and release before any public disclosure.