Policy

Security

How to report vulnerabilities. We take security seriously. nanostack is a security tool.

Reporting vulnerabilities

Report via GitHub Security Advisories. Do not use public issues.

What's in scope

Guard bypassCircumventing block rules or the three-tier permission systemArtifact injectionMalicious data in artifacts that affects downstream skill behaviorSetup scriptSymlink attacks, path traversal, privilege escalation during installSecrets exposureCredentials or tokens leaked in skill outputs or artifactsCommand injectionShell injection via bin/ scripts or skill execution

What's out of scope

AI agent vulnsIssues in Claude, Codex, Gemini or other upstream agentsGenerated codeQuality issues in code the agent writes (not nanostack's responsibility)Third-party skillsVulnerabilities in community-created skill extensions

Response timeline

Acknowledgment48 hoursInitial assessment7 daysFix / mitigation30 days

Disclosure process

  1. You report via GitHub Security Advisory
  2. We confirm and assess severity
  3. We develop and test the fix
  4. We release the patch
  5. We credit the reporter (anonymity available on request)

Only the latest main branch receives full support. Best-effort for older commits.

← nanostack.sh