| Version | Supported |
|---|---|
| 0.3.x (latest) | ✅ |
| 0.2.x | ✅ security fixes only |
| 0.1.x | ❌ |
Do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately via email: security@gabrielh.dev
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact (what an attacker could achieve)
- Any suggested remediation
| Timeframe | Action |
|---|---|
| 48 hours | Initial acknowledgment of your report |
| 7 days | Preliminary assessment and severity classification |
| 30 days | Status update on remediation progress |
| 90 days | Coordinated disclosure deadline |
We follow a 90-day coordinated disclosure timeline. After 90 days, we may publish details of the vulnerability regardless of whether a fix has been released, to protect the community.
This template contains:
- Shell scripts (
.claude/hooks/*.sh,scripts/*.sh) - Configuration files (
.pre-commit-config.yaml,.claude/settings.json) - Documentation and prompt files
In scope:
- Hooks that execute arbitrary commands with unintended side effects
- Configuration that grants excessive permissions
- Prompt injection vulnerabilities in agent definitions
- Scripts that handle sensitive data insecurely
Out of scope:
- Issues in third-party tools (Graphify, pre-commit, ruff, prettier) — report to those projects directly
- Social engineering attacks
- Theoretical vulnerabilities without a concrete exploit path
- Review
.claude/settings.jsonpermissions before using in a sensitive codebase - Use
claude --sandboxmode for untrusted projects - Never commit
.envfiles or credentials — useCLAUDE.local.mdand.claude/settings.local.json(both gitignored) for local secrets - Run
gitleaks detectbefore pushing if you've added credentials during a session