Only the latest minor release receives security fixes.

Do NOT open a public issue.

Use GitHub Security Advisories to report vulnerabilities privately.

• Acknowledgment: within 72 hours
• Assessment: within 7 days
• Fix target: within 30 days for confirmed issues

• The MCP server binary (cmd/mcp) is in scope
• The cmd/scaffold template rewriter is not security-critical

There is no formal bug bounty program.