Security fixes are currently targeted at the latest stable 1.x release line on main.
| Version | Supported |
|---|---|
1.x |
Yes |
0.x |
No |
| older prereleases / abandoned branches | No |
If you are unsure whether an issue affects a supported build, report it anyway and include the exact package version, tag, or commit SHA you tested.
Please use this policy for vulnerabilities such as:
- sandbox or path-traversal escapes
- unsafe remote fetch / SSRF / DNS pinning bypasses
- quarantine or trust-policy bypasses
- credential, token, or secret exposure caused by the harness
- unintended execution of untrusted content
- release / packaging / supply-chain integrity issues
For general bugs, feature requests, recommendation quality issues, or host-integration quirks, please use the normal GitHub issue tracker instead of a private security report.
Please do not open a public GitHub issue for a suspected security vulnerability.
Use one of these private channels instead:
- Preferred: GitHub Security Advisories / private vulnerability reporting for this repository.
- Fallback: email
admin@ar27111994.devwith the subject lineagent-harness security report.
Please include as much of the following as you can:
- affected version(s), tag(s), or commit SHA(s)
- a short description of the impact
- reproduction steps or a proof of concept
- whether the issue requires special configuration, credentials, or a malicious workspace/source
- any suggested fix or mitigation
- whether you believe the issue is already publicly known
If logs or artifacts contain tokens, secrets, or private repository details, redact them before sending.
Best effort targets:
- initial acknowledgment within 3 business days
- triage / severity assessment within 7 business days
- status update after confirmation, mitigation, or rejection
These are goals, not guarantees, but reports will be handled as quickly as possible.
Please allow time for investigation and a fix before public disclosure.
Once a report is confirmed and a patch or mitigation is available, coordinated disclosure is welcome. If the report turns out not to be a security issue, it may be redirected to the normal issue tracker.