We operate a rolling release model. Only the current production version receives security patches.

Do not open a public GitHub issue for security vulnerabilities.

Report vulnerabilities privately via one of:

• GitHub private vulnerability reporting: Security tab → Report a vulnerability
• Email: security@maschina.ai (monitored, response within 48 hours)

• Description of the vulnerability and its impact
• Steps to reproduce (proof-of-concept if available)
• Which component is affected (services/gateway, packages/auth, etc.)
• Your contact information for follow-up

• Acknowledgment: within 48 hours
• Initial assessment: within 5 business days
• Fix timeline: depends on severity — critical issues targeted within 7 days
• Credit: we will credit reporters in the release notes unless you prefer anonymity

In scope:

• Authentication and authorization bypass
• JWT forgery or secret exposure
• SQL injection, XSS, CSRF
• API key exposure or timing attacks
• Prompt injection that bypasses safety checks
• Data exfiltration from agent runs

Out of scope:

• Vulnerabilities in third-party services (Anthropic, Stripe, Neon)
• Social engineering attacks
• Issues requiring physical access
• Denial of service without data impact

See docs/security/ for the full security model, access control, and secrets management documentation.