# Security Policy

The Defensive OpSec Operating Standard cites ISO/IEC 29147 (coordinated vulnerability disclosure). This file walks the talk.

## Reporting a vulnerability

- **Email:** john@mhcis.com
- **Subject:** `[deepsec-skill] vulnerability report`
- **Encryption:** PGP key on request
- **Acknowledgement SLA:** 72 hours
- **Initial assessment SLA:** 7 days
- **Coordinated disclosure window:** 90 days, negotiable

A copy of this contact is also at [`/.well-known/security.txt`](./.well-known/security.txt).

## In scope

- The standard, the agent skill (`deepsec/SKILL.md`), the methodology, the references index, and the specimens hosted at `https://www.deepsec-skill.dev/`.
- Prompt-injection or absorption-bypass paths against the activation precedence, canary, or conflict-detection design (see ADR-0002).
- Citation-integrity defects in `references.json` or specimens. Sources mis-tiered, claims that fail triangulation, fabricated `verified_on` timestamps.

## Out of scope

- Vulnerabilities in upstream `vercel-labs/deepsec`: report those to <https://github.com/vercel-labs/deepsec/security>.
- Vulnerabilities in adopters' own `CLAUDE.md` files or host projects.
- Theoretical attacks on agent-skill registries that don't traverse this project's surfaces.

## Safe-harbour

Good-faith research that respects this policy will not be pursued legally. We follow ISO/IEC 29147 and the [CISA Coordinated Vulnerability Disclosure Process](https://www.cisa.gov/coordinated-vulnerability-disclosure-process).