Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in AGA itself, please do not open a public issue.

Instead, email: security@aga-sec.dev (placeholder — replace with real address)

We will respond within 48 hours and work with you on a coordinated disclosure timeline.

Scope

This policy covers:

Bugs in AGA's scanner that could cause false negatives (missed detections)
Vulnerabilities in AGA's own code that could be exploited
Supply chain issues in AGA's dependencies

Responsible Disclosure

Provide a clear description of the vulnerability
Include steps to reproduce
Allow reasonable time for a fix before public disclosure

Recognition

We maintain a security hall of fame for researchers who responsibly disclose vulnerabilities.

There aren't any published security advisories