Please do not open public issues for security vulnerabilities.
Contact: sycatle@pm.me
| Stage | Target |
|---|---|
| Acknowledgement | 48 hours |
| Triage + severity | 7 days |
| Fix (critical / high) | < 14 days |
| Fix (medium / low) | next minor release |
| Version | Status |
|---|---|
| latest minor | ✅ |
| previous minor | ✅ (3 months after the next one ships) |
| older | ❌ |
runbook is a template + plugin that generates files and orchestrates Claude Code skills. The main threat surface is:
- Skills that execute commands (
gh,git,pnpm) on user machines — must never execute unconfirmed destructive actions. - Templates that could leak secrets if interpolated with wrong inputs.
- Hooks installed in target projects.
Out of scope:
- Vulnerabilities in Claude Code itself (report to Anthropic).
- Vulnerabilities in projects scaffolded by runbook (those are the project's responsibility).