We only provide security fixes for the latest release series on the master branch.

Please do not open a public GitHub issue for potential security vulnerabilities.

Use one of the private channels below:

1. Preferred: GitHub private vulnerability reporting
   • https://github.com/kerberos-io/agent/security/advisories/new
2. Fallback: Email
   • support@kerberos.io
   • Optional CC: support@uug.ai

Please include:

• A short summary and impact.
• Reproduction steps or proof of concept.
• Affected version(s), commit hash, or deployment details.
• Any proposed mitigation/workaround.
• Your preferred attribution name.

For faster triage, use this subject format in email:

[Security][Kerberos Agent] <short title>

• Acknowledgement target: within 3 business days.
• Triage/update target: within 7 business days after acknowledgement.

If you do not receive a response in time, please resend your report and include your original timestamp.

We follow coordinated disclosure. After a fix is available, we will credit reporters unless they prefer to stay anonymous.