We take security seriously. If you discover a security vulnerability in Craft Agents, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please send an email to: security@craft.do

Include the following information:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Any suggested fixes (optional)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Initial Assessment: We will provide an initial assessment within 7 days
• Resolution Timeline: We aim to resolve critical issues within 30 days

This policy applies to:

• The Craft Agents desktop application
• The @craft-agent/* npm packages
• Official Craft Agents repositories

• Third-party dependencies (report to their maintainers)
• Social engineering attacks
• Denial of service attacks

We only provide security updates for the latest version. Please keep your installation up to date.

When using Craft Agents:

1. Keep credentials secure: Never commit .env files or credentials
2. Use environment variables: Store secrets in environment variables
3. Review permissions: Be cautious with "Execute" permission mode
4. Update regularly: Keep the application updated

We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities (with their permission).