# Security Policy
## Supported versions
`skref` is pre-1.0. Security fixes are applied to the latest released version on
the `main` branch. Please make sure you are on the most recent release before
reporting an issue.
## Reporting a vulnerability
Please **do not** open a public GitHub issue for security vulnerabilities.
Instead, report them privately by either:
- Using GitHub's [private vulnerability reporting](https://github.com/alephic-ai/skref/security/advisories/new)
("Report a vulnerability" under the repository's **Security** tab), or
- Emailing **laurent@alephic.com** with the details.
Please include:
- A description of the vulnerability and its impact.
- Steps to reproduce, ideally with a minimal `SKILL.md` or input.
- The `skref` version and your platform.
## What to expect
- We aim to acknowledge reports within **3 business days**.
- We will keep you informed about the progress of a fix and coordinate
disclosure timing with you.
- With your permission, we are happy to credit you in the release notes once a
fix ships.
## Scope
`skref` reads and validates local `SKILL.md` files and emits text. It performs
no network access and executes no skill code itself. The most relevant concerns
are therefore around parsing untrusted input (malformed frontmatter, adversarial
Unicode, resource exhaustion). Reports demonstrating crashes, hangs, or
incorrect validation results on untrusted input are in scope and welcome.