This project is currently in beta development (Phase 4). Security updates will be provided for:

Once v1.0 is released, we will provide security updates for the latest stable version.

We take the security of Adaptive Claude Agents seriously. If you discover a security vulnerability, please follow these steps:

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Send a detailed report to: security@sawanolab.org or use GitHub Security Advisories

Include:

• Description: Clear explanation of the vulnerability
• Impact: Potential consequences if exploited
• Reproduction: Step-by-step instructions to reproduce
• Environment: OS, Claude Code version, Python version, etc.
• Suggested fix: If you have one (optional)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Regular updates: Every 7 days on progress
• Resolution timeline: Varies by severity
  • Critical: 7 days
  • High: 30 days
  • Medium: 60 days
  • Low: 90 days

• We will work with you to understand and resolve the issue
• We will credit you in the security advisory (unless you prefer to remain anonymous)
• We will coordinate public disclosure after a fix is available
• Typical disclosure timeline: 90 days from initial report

Risk: Malicious templates could execute harmful code

Mitigation:

• All community-submitted templates undergo manual review
• Templates are sandboxed during testing
• Dangerous commands are flagged in review process
• Users are warned before executing any template

Risk: Project analysis scripts could be exploited

Mitigation:

• Scripts run with user permissions (no privilege escalation)
• File system access is limited to project directory
• No network requests without explicit user consent
• All dependencies are pinned and verified

Risk: MCP configuration could expose sensitive data

Mitigation:

• MCP config files are gitignored
• No credentials stored in configuration
• User-specific settings are local only
• Clear documentation on secure setup

We regularly check for vulnerabilities in dependencies:

# Python dependencies
pip-audit

# Node.js dependencies (if used)
npm audit

Risk: User input could lead to code injection

Mitigation:

• Input validation on all user-provided data
• No eval() or similar dynamic code execution
• Parameterized commands when calling external tools
• Sanitization of file paths

1. Review Generated Templates

   • Always review subagent templates before using
   • Understand what tools each subagent has access to
   • Be cautious with templates from unknown sources

2. Limit Permissions

   • Run with minimal necessary permissions
   • Use virtual environments
   • Don't run as root/administrator

3. Verify Sources

   • Only use templates from trusted sources
   • Check template author credentials
   • Review template code before activation

4. Keep Updated

   • Regularly update to latest version
   • Subscribe to security advisories
   • Monitor project announcements

1. Code Review

   • All code changes require maintainer review
   • Security-sensitive changes need extra scrutiny
   • Follow secure coding guidelines

2. Dependencies

   • Minimize new dependencies
   • Use well-maintained, trusted packages
   • Pin versions in requirements.txt

3. Secrets

   • Never commit API keys, tokens, or credentials
   • Use environment variables for sensitive data
   • Review .gitignore before committing

• Input validation on project paths
• Safe file path handling
• No network requests without consent
• Dependency vulnerability scanning

• Template signature verification
• Sandboxed template execution
• Automated security testing (SAST)
• Dependency update automation (Dependabot)

As a beta project, be aware of these limitations:

1. Limited Testing: Security testing is not yet comprehensive
2. Rapid Changes: Security features are still being developed
3. Community Templates: Not all templates are vetted equally
4. MCP Integration: Relies on security of MCP servers

Recommendation: Use in non-production environments during beta testing.

• OWASP Top Ten
• Python Security Best Practices
• Claude Code Security (Official docs)

• Secure Coding Guidelines
• OWASP Secure Coding Practices
• Project CONTRIBUTING.md - includes security review checklist

We would like to thank the following individuals for responsibly disclosing security vulnerabilities:

No vulnerabilities reported yet (project in beta)

• General security questions: Open a GitHub Discussion
• Security vulnerability: Email security@sawanolab.org or use GitHub Security Advisories
• Security feature requests: Create a GitHub Issue with security label

Last Updated: 2025-10-19

Note: This security policy will be updated as the project matures. Current focus is on establishing secure development practices for public beta release (Phase 4).