We take the security of RAGuard seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via:

1. GitHub Security Advisories: Go to the Security tab and create a private advisory.
2. Email: Send an email to Carlos@AIAgentObservatory.org with the subject "[RAGuard Security]".

Please include the following information:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment: Within 48 hours of receiving your report.
• Initial assessment: Within 7 days.
• Fix development: Within 30 days for critical issues.
• Public disclosure: Coordinated with you after a fix is available.

This security policy applies to:

• The RAGuard scanner core functionality
• CLI interface
• Report generation
• Policy generation

• Vulnerabilities in third-party dependencies (please report to the respective projects)
• Issues in development/test environments only

• English

We appreciate responsible disclosure and will acknowledge contributors in our release notes (unless you prefer to remain anonymous).