If you discover a security vulnerability in Kai, please report it responsibly.

Do not open a public issue.

Instead, email security@kaicontext.com with:

• A description of the vulnerability
• Steps to reproduce
• Impact assessment (if known)
• Any suggested fix (optional)

• Acknowledgment: within 48 hours
• Initial assessment: within 5 business days
• Fix or mitigation: depends on severity, but we aim for:
  • Critical: 7 days
  • High: 14 days
  • Medium/Low: next release cycle

1. Reporter sends vulnerability details via email
2. We acknowledge receipt and begin investigation
3. We develop and test a fix
4. We coordinate disclosure timing with the reporter
5. We release the fix and publish a security advisory

We follow coordinated disclosure — we ask reporters to keep details private until a fix is available.

This policy covers the Kai open-source repository, including:

• kai-cli (CLI binary)
• kai-core (core engine)

Third-party dependencies are not directly in scope, but we appreciate reports about vulnerable dependencies.