This repository contains documentation and educational templates for Claude Code. It does not include executable code that processes user input or runs in production environments.
Security concerns specific to this repository:
- Documentation accuracy for security practices
- Template code quality and security patterns
- Threat database integrity (
machine-readable/threat-db.yaml)
Out of scope:
- Security vulnerabilities in Claude Code CLI itself → Report to Anthropic
- Security issues in MCP servers → Report to respective server maintainers
If you discover a security concern related to this guide (examples: malicious template, incorrect security advice, threat database inaccuracies), please:
-
Email: florian.bruniaux@methode-aristote.fr
- Subject:
[SECURITY] Claude Code Guide - Brief Description - Include: Affected file/section, description, impact assessment
- Subject:
-
GitHub Private Disclosure: Use Security Advisories for sensitive issues
Response SLA: We aim to respond within 48 hours and issue fixes within 7 days for critical issues.
This guide maintains comprehensive security documentation:
- Security Hardening Guide — MCP vetting, injection defense, audit workflows
- Threat Database — 18 CVEs, 341 malicious skills
- Security Hooks — 30 production hooks (bash + PowerShell)
- Security Commands —
/security-check,/security-audit,/update-threat-db
Threat Database Updates: The threat intelligence database is updated based on:
- CVE announcements and security advisories
- Community reports of malicious skills/MCP servers
- Anthropic security bulletins
- Academic research (e.g., prompt injection papers)
Audit Schedule:
- Weekly review of new MCP servers and skills
- Monthly audit of security documentation accuracy
- Quarterly full threat database refresh
Last Updated: 2026-02-11 (v3.26.0)
If you're a security researcher and find issues affecting multiple repositories in the Claude Code ecosystem:
- Email us first (coordinated disclosure preferred)
- We'll coordinate with other maintainers if needed
- Public disclosure timing: 90 days or after fix, whichever comes first
We thank security researchers who have contributed to improving this guide's security content through responsible disclosure.
Author: Florian BRUNIAUX | Founding Engineer @Méthode Aristote
Guide License: CC BY-SA 4.0