Please do not open public issues for security reports.
Instead, report via one of the following channels:
- GitHub Security Advisories (preferred)
- Email: add-your-security-email-here@example.com
We will acknowledge receipt within 72 hours and provide a remediation plan if confirmed.
Security reports are especially valuable for:
- Tool Gateway authz/authn bugs
- Idempotency and payment confirmation bypasses
- PII leakage via logs/evidence snapshots
- Prompt injection leading to unauthorized tool calls