Security Policy¶
Supported Versions¶
| Version | Supported |
|---|---|
| 2.x | ✅ |
| < 2.0 | ❌ |
Reporting a Vulnerability¶
If you discover a security issue in pm-skills, report it privately first.
Preferred channel: 1. Use GitHub Private Vulnerability Reporting: - https://github.com/product-on-purpose/pm-skills/security/advisories/new
Fallback channel: 1. Open a GitHub issue requesting a private follow-up (do not include exploit details or secrets): - https://github.com/product-on-purpose/pm-skills/issues/new
What to include: 1. Affected file(s) or workflow(s) 2. Reproduction steps 3. Impact assessment 4. Suggested remediation (if available)
Response targets: 1. Initial acknowledgement within 2 business days 2. Ongoing status updates until resolution
Scope¶
This policy covers:
1. Repository content (skills/, commands/, _workflows/, docs, templates)
2. Build/release tooling and GitHub Actions workflows
3. Published release artifacts
Out of Scope¶
The following are generally out of scope for this repository: 1. Vulnerabilities in third-party tools or clients not maintained here 2. Security behavior of external AI platforms integrating these skills