Only the latest release on the 0.x line receives security fixes.

Do NOT open a public GitHub issue for security vulnerabilities.

Send a report to security@agentic.dev with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fix, if you have one

• Acknowledgement: within 48 hours of receipt
• Status update: within 5 business days (confirmed, investigating, or not a vulnerability)
• Fix for critical issues: within 14 days of confirmation
• Fix for moderate/low issues: best effort, typically within 30 days

You will be credited in the changelog when the fix ships, unless you prefer to remain anonymous.