Use GitHub's private vulnerability reporting ("Report a vulnerability" button on this repo's Security tab). We aim to acknowledge within 5 business days.
- The
ethosCLI, web UI, and gateway adapters in this monorepo - Bundled extensions under
extensions/ - Documented public APIs
- User-installed plugins, MCP servers, or skills (report to those projects)
- Issues only reproducible with experimental flags /
--no-safety
We follow 90-day coordinated disclosure with fix-or-ETA acknowledgement.