SpecKit is an independent, community-maintained fork of github/spec-kit. It is
not a GitHub product and has no bug-bounty program.
If you believe you've found a security vulnerability, please report it privately — do not open a public issue, discussion, or pull request.
Use GitHub's private vulnerability reporting for this repository, or email the maintainer at mark@malstrom.me.
Please include as much as you can to help triage:
- The type of issue (e.g. command injection, path traversal, supply-chain)
- The affected source path(s) and the tag/branch/commit
- Steps to reproduce, and a proof-of-concept if you have one
- The impact and how an attacker might exploit it
You'll get an acknowledgement as soon as is practical. This is a small project, so please allow reasonable time for a fix before any public disclosure.