If you discover a security vulnerability in ShieldScan itself (e.g., a regex pattern that could be exploited, or a way to bypass detection), please report it responsibly:
- Email: tz2617@columbia.edu
- Subject:
[SECURITY] ShieldScan: <brief description> - Response time: We aim to respond within 48 hours
Please do NOT open a public GitHub issue for security vulnerabilities.
This policy covers:
- The ShieldScan SKILL.md file and its detection patterns
- False negative patterns (vulnerabilities that ShieldScan should detect but doesn't)
- The project's own security (e.g., if example files inadvertently contain real secrets)
We follow coordinated disclosure. After a fix is released, we will credit the reporter (unless they prefer to remain anonymous).