# Security Policy

## Supported Versions

Security fixes are applied to the latest version on `main`.

## Reporting a Vulnerability

Please do not open a public issue for undisclosed vulnerabilities.

Instead, report privately by emailing:
- `kieran@every.to`

Include:
- A clear description of the issue
- Reproduction steps or proof of concept
- Impact assessment (what an attacker can do)
- Any suggested mitigation

We will acknowledge receipt as soon as possible and work with you on validation, remediation, and coordinated disclosure timing.

## Scope Notes

This repository primarily contains plugin instructions/configuration plus a conversion/install CLI.

- Plugin instruction content itself does not run as a server process.
- Security/privacy behavior also depends on the host AI tool and any external integrations you explicitly invoke.

For data-handling details, see [PRIVACY.md](PRIVACY.md).