Please report security vulnerabilities privately. Do not open a public issue or discussion before maintainers have had a reasonable opportunity to investigate and release a fix.
Use the private vulnerability reporting channel in the affected repository's Security tab when it is available. If that repository documents another private security contact, use that channel instead.
Include:
- the affected product, version, and environment;
- the security impact and expected threat model;
- minimal reproduction steps or a proof of concept;
- relevant logs with secrets and personal data removed;
- any suggested mitigation, if known.
Do not send live credentials, private keys, customer data, or access tokens. We will acknowledge a usable report, coordinate validation and remediation, and credit reporters when requested and appropriate.
Support windows are defined by each project. Unless a repository states otherwise, security fixes target the latest published release and the default development branch.
Security reports should concern DeepAgent software or infrastructure operated by DeepAgent. Reports about third-party services should be sent to the relevant provider.