Please do not open a public GitHub issue for security vulnerabilities.

Open a private security advisory directly on GitHub. We will respond within 72 hours.

Include:

• Description of the vulnerability
• Component affected (Governor, Core, SDK, skill)
• Steps to reproduce
• Potential impact

The Rust Safety Governor is the highest-priority security component. Vulnerabilities there — especially sandbox escapes, permission bypass, or audit trail tampering — are treated as critical.

We especially welcome research on:

• V8 sandbox escapes via the skill execution path
• Permission system bypasses
• Prompt injection detection gaps
• Ed25519 audit chain integrity

• Acknowledge within 72 hours
• Provide a fix timeline within 7 days
• Credit you in the release notes (unless you prefer anonymity)
• Never share your report publicly before a fix is available