We take the security of QWED A2A very seriously. If you discover a security vulnerability, please report it to us immediately.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@qwedai.com

Provide detailed information to enable reproduction and resolution of the issue, including:

• Steps to reproduce the vulnerability.
• Relevant code or configuration.
• The potential impact of the vulnerability.

We are committed to addressing security issues promptly.

• We will acknowledge your report within 24 hours.
• Our team will work with you to understand and resolve the issue.
• Expect regular progress updates throughout the process.

We value the security community and will publicly credit vulnerability reporters who responsibly disclose issues and do not request anonymity. Credit will be given in our release notes and SECURITY.md history.

To help us triage issues effectively, please distinguish between security issues and bugs:

• Security Issue: A vulnerability that compromises the confidentiality, integrity, or availability of the system (e.g., payload tampering, cryptographic bypass, unauthorized agent forwarding). Please report these via email as described above.
• Bug: A functional defect or unexpected behavior that does not have security implications (e.g., UI glitch, incorrect calculation, crash without exploitability). Please report these via the GitHub Issue Tracker.

Thank you for helping keep QWED A2A secure!