Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: security@gsd.build (or DM @glittercowboy on Discord/Twitter if email bounces)

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix timeline: Depends on severity, but we aim for:
  • Critical: 24-48 hours
  • High: 1 week
  • Medium/Low: Next release

Security issues in the GSD codebase that could:

• Execute arbitrary code on user machines
• Expose sensitive data (API keys, credentials)
• Compromise the integrity of generated plans/code

We appreciate responsible disclosure and will credit reporters in release notes (unless you prefer to remain anonymous).