Skip to content

Security: Arthur1511/agentspec-copilot

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly:

  1. Do NOT open a public issue
  2. Email the maintainers directly or use GitHub Security Advisories
  3. Include steps to reproduce, impact assessment, and suggested fix if possible

Response Timeline

Stage Timeline
Acknowledgment Within 24 hours
Initial Assessment Within 72 hours
Fix for Critical Issues Within 7 days
Public Disclosure After fix is released

Supported Versions

Version Supported
3.0.x Yes
2.1.x No
2.0.x No
1.x No
< 1.0 No

Security Considerations for AgentSpec Users

AgentSpec generates and executes code through Claude Code. Keep these practices in mind:

  1. Review agent outputs before executing generated code in production
  2. Do not store secrets in KB domains, examples, or SDD documents
  3. Validate external data referenced in custom agents or KB patterns
  4. Use .gitignore to exclude sensitive files from SDD feature documents
  5. Review PR diffs carefully when using /create-pr — ensure no credentials are staged

Scope

This security policy covers the AgentSpec framework itself (agents, commands, templates, KB scaffolding). It does not cover:

  • Code generated by agents during /build (your responsibility to review)
  • Third-party KB domain content
  • Claude Code or Anthropic API security (report to Anthropic)

There aren't any published security advisories