Do not open a public issue. Instead, email contact@initrunner.ai with:

• A description of the vulnerability
• Steps to reproduce
• Affected versions
• Any suggested fix (optional)

• Acknowledgement: within 48 hours
• Initial assessment: within 1 week
• Fix or mitigation: varies by severity, targeting 30 days for critical issues

The following areas are in scope:

• Tool sandboxing — escaping filesystem, SQL, shell, or git tool restrictions
• Path traversal — accessing files outside allowed directories
• SSRF — server-side request forgery via HTTP or web_reader tools
• Injection — command injection, SQL injection, prompt injection leading to tool misuse
• Audit bypass — circumventing the audit trail
• Secret leakage — sensitive environment variables exposed in outputs or logs

See docs/security/security.md for the security hardening guide.