Specorator follows semantic versioning. Security fixes target the latest minor release on main; older minors are not patched.
| Version | Supported |
|---|---|
| 0.8.x | ✅ |
| < 0.8 | ❌ |
Please do not open a public issue for security vulnerabilities.
Report privately via GitHub's Private Vulnerability Reporting:
- Go to https://github.com/Luis85/agentic-workflow/security/advisories/new
- Or use the Security tab → Report a vulnerability
Include, where possible:
- Affected version, file path, or workflow
- Reproduction steps or proof of concept
- Suspected impact (data exposure, privilege escalation, supply-chain risk, etc.)
We aim to acknowledge reports within 5 working days and to ship a fix or mitigation within 30 days for high-severity issues. Lower-severity findings ride the normal release cadence.
In scope:
- Code in this repository (scripts, workflows, plugins, agents, skills, templates).
- The
specoratornpm package published from this repository. - The Claude Code plugin distributed from the
dist/claude-pluginbranch. - Generated artifacts that ship to consumers (GitHub Pages site under
sites/dist/).
Out of scope:
- Third-party AI tools that read this template (Claude Code, Codex, Cursor, Aider, Copilot, Gemini) — report to the respective vendor.
- Downstream projects that adopt the template — report to the project maintainer.
- Theoretical risks in agent-driven workflows that are already documented in
docs/agentic-security-review.mdand tracked as known limitations.
We coordinate disclosure with the reporter. Once a fix is released, we publish a GitHub Security Advisory crediting the reporter unless they request otherwise.