Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability, please report it privately:

1. Email: jadhavom263@gmail.com

Please include:

• Detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any suggested fixes (if available)

• Initial response: Within 48 hours
• Detailed assessment: Within 7 days
• Patch release: Within 14 days (for critical vulnerabilities)
• Public disclosure: After patch is released, or with maintainer approval

• Critical: Remote code execution, data exfiltration, privilege escalation
• High: Security bypasses, authentication issues
• Medium: Information disclosure, denial of service
• Low: Minor security issues, hardening opportunities

toolmark includes several built-in security features:

• SF001 - Dynamic fetch detection
• SF002 - Hardcoded credential detection
• SF003 - Prompt injection detection
• SF004 - Undeclared network endpoint detection
• Ed25519 - Provenance signing for all published tools

All tools are automatically scanned before publishing:

toolmark scan  # Built-in rules + Snyk integration

We believe in responsible disclosure and will work with researchers to:

1. Acknowledge and validate reports promptly
2. Provide credit for discovered vulnerabilities
3. Coordinate disclosure timelines
4. Consider bounty payments for critical issues

1. Never hardcode credentials - use environment variables
2. Declare all network endpoints in tool.json
3. Avoid dynamic code execution patterns
4. Review tool descriptions for prompt injection risks
5. Sign your tools with Ed25519 keys
6. Run security scans before publishing