If you discover a security vulnerability in any Runcycles repository, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Email security@runcycles.io with:

• Description of the vulnerability
• Steps to reproduce
• Affected repository and version
• Potential impact assessment

• Acknowledgment within 48 hours
• Initial assessment within 5 business days
• Fix timeline communicated within 10 business days
• Credit in the security advisory (unless you prefer anonymity)

We provide security fixes for:

This policy covers all repositories in the runcycles organization:

• cycles-server — enforcement server (Redis, Lua scripts, Spring Boot)
• cycles-server-admin — admin API (tenants, budgets, API keys)
• cycles-protocol — protocol specification
• cycles-client-python — Python SDK
• cycles-client-typescript — TypeScript SDK
• cycles-spring-boot-starter — Spring Boot starter
• cycles-mcp-server — MCP server
• cycles-openai-agents — OpenAI Agents SDK integration
• cycles-openclaw-budget-guard — OpenClaw plugin

• Demo repositories (cycles-runaway-demo, cycles-agent-action-authority-demo)
• Documentation site (docs)
• Vulnerabilities in third-party dependencies (report to the upstream project, but let us know so we can update)

We follow coordinated disclosure. Please allow us reasonable time to address the issue before any public disclosure. We aim to release fixes within 30 days of confirmed vulnerabilities.