Security

Supported Versions

Version	Supported
2.x	✅
< 2.0	❌

Reporting a Vulnerability

If you discover a security issue in pm-skills, report it privately first.

Preferred channel:

1. Use GitHub Private Vulnerability Reporting:
   • https://github.com/product-on-purpose/pm-skills/security/advisories/new

Fallback channel:

1. Open a GitHub issue requesting a private follow-up (do not include exploit details or secrets):
   • https://github.com/product-on-purpose/pm-skills/issues/new

What to include:

1. Affected file(s) or workflow(s)
2. Reproduction steps
3. Impact assessment
4. Suggested remediation (if available)

Response targets:

1. Initial acknowledgement within 2 business days
2. Ongoing status updates until resolution

Scope

This policy covers:

1. Repository content (skills/, commands/, _workflows/, docs, templates)
2. Build/release tooling and GitHub Actions workflows
3. Published release artifacts

Out of Scope

The following are generally out of scope for this repository:

1. Vulnerabilities in third-party tools or clients not maintained here
2. Security behavior of external AI platforms integrating these skills