Found a security bug, false positive pattern, or hallucination risk in Akira's skills?

Use GitHub Private Vulnerability Reporting (recommended):

1. Go to the Security tab
2. Click "Report a vulnerability"
3. Fill in the details - we'll respond within 48 hours

This keeps the report private until it's fixed.

For non-sensitive bugs (skill accuracy, outdated techniques, wrong outputs):

• Open a GitHub Issue with label security-bug or skill-bug

Found a real vulnerability using Akira on an authorized target?

1. Report to the target first (responsible disclosure)
2. After it's fixed or publicly disclosed, open a PR to add it to FINDINGS.md
3. Anonymous is fine - program name optional, technique detail is what matters

• Open an issue with label technique-request or new-skill
• Describe: attack vector, tools involved, what evidence it produces
• Link a public writeup or CVE if available

Good suggestions get fast-tracked into the next release.

• Bug fixes - always welcome
• Technique improvements - always welcome
• New skills - welcome (see roadmap)

No CLA. Open a PR.

For sensitive disclosures: GitHub Private Vulnerability Reporting

For everything else: GitHub Issues.