Skip to content

Security: markmals/speckit

Security

SECURITY.md

Security Policy

SpecKit is an independent, community-maintained fork of github/spec-kit. It is not a GitHub product and has no bug-bounty program.

Reporting a vulnerability

If you believe you've found a security vulnerability, please report it privately — do not open a public issue, discussion, or pull request.

Use GitHub's private vulnerability reporting for this repository, or email the maintainer at mark@malstrom.me.

Please include as much as you can to help triage:

  • The type of issue (e.g. command injection, path traversal, supply-chain)
  • The affected source path(s) and the tag/branch/commit
  • Steps to reproduce, and a proof-of-concept if you have one
  • The impact and how an attacker might exploit it

You'll get an acknowledgement as soon as is practical. This is a small project, so please allow reasonable time for a fix before any public disclosure.

There aren't any published security advisories