Security fixes are handled for the current main branch and the latest tagged release, when releases are available.

Please do not disclose security issues publicly before they are triaged.

Preferred reporting path:

1. Use GitHub's private vulnerability reporting or draft security advisory flow for this repository, if available.
2. If private reporting is unavailable, open a GitHub issue with a minimal public description and avoid posting exploit details, secrets, customer data, or private environment information.

Useful reports include:

• affected version or commit;
• operating system and Python version;
• whether the issue affects discovery, download, indexing, CLI, or MCP runtime;
• minimal reproduction steps using public documentation URLs only;
• expected impact and any safe mitigation you have already tested.

In scope:

• accidental disclosure of local paths or private environment details;
• unsafe handling of generated corpus, reports, or index data;
• denial-of-service issues caused by malformed public documentation inputs;
• MCP tool/resource behavior that exposes more local data than intended.

Out of scope:

• vulnerabilities in UserGate products or upstream UserGate documentation;
• issues that require modifying generated local corpus files by hand;
• reports that include private customer documents, credentials, or non-public support materials.