If you discover a security vulnerability in Everything Gemini Code, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, email security@egc.tools with:

• A description of the vulnerability
• Steps to reproduce
• The affected version(s)
• Any potential impact assessment

You can expect:

• Acknowledgment within 48 hours
• Status update within 7 days
• Fix or mitigation within 30 days for critical issues

If the vulnerability is accepted, we will:

• Credit you in the release notes (unless you prefer anonymity)
• Fix the issue in a timely manner
• Coordinate disclosure timing with you

If the vulnerability is declined, we will explain why and provide guidance on whether it should be reported elsewhere.

This policy covers:

• The EGC extension and all scripts in this repository
• Hook scripts that execute on your machine
• Install/uninstall lifecycle scripts
• MCP configurations shipped with EGC
• Command, skill, and agent definitions

• OWASP MCP Top 10: owasp.org/www-project-mcp-top-10
• OWASP Agentic Applications Top 10: genai.owasp.org