If you discover a security vulnerability, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, use one of these methods:
- GitHub Private Security Advisory (preferred): Go to the Security tab and create a private advisory.
- Email: Contact the maintainer directly via GitHub profile.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Status update within 7 days
- Fix timeline depends on severity
This policy covers:
- Template files shipped to downstream projects (CLAUDE.md, agents, settings)
- Setup scripts (setup-project.ps1, setup-project.sh)
- MCP server configuration and permission grants
Out of scope:
- Vulnerabilities in Claude Code itself (report to Anthropic)
- Vulnerabilities in third-party MCP servers (report to their maintainers)