| Version | Supported |
|---|---|
| 1.4.x | ✅ |
| < 1.4 | ❌ |
We only provide security fixes for the latest minor release. Users on older versions should upgrade.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, use GitHub Security Advisories to report vulnerabilities privately. This ensures the issue is handled confidentially until a fix is available.
When reporting, please include:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (if applicable)
You should receive an initial response within 72 hours. We will keep you informed of our progress toward a fix and release.
PactKit is a CLI tool that generates and deploys prompt templates for AI coding assistants. The following areas are in scope for security reports:
| Area | Examples |
|---|---|
| Supply chain | Compromised dependencies, malicious packages |
| Prompt injection | Template content that could cause unintended AI behavior |
| File system safety | Path traversal in deployer, unsafe file writes |
| Configuration security | Secrets leaking through generated config files |
| Code execution | Command injection via user-supplied arguments |
The following are out of scope:
- Vulnerabilities in Claude Code itself (report to Anthropic)
- Vulnerabilities in third-party MCP servers
- Issues in user-generated Spec or test content
- Report received — We acknowledge within 72 hours
- Triage — We assess severity and impact within 7 days
- Fix development — We develop and test a fix
- Release — We publish a patched version and a GitHub Security Advisory
- Public disclosure — The advisory is made public 30 days after the fix is released, or immediately if the vulnerability is already publicly known
We follow coordinated vulnerability disclosure principles. We ask that you do not publicly disclose the vulnerability until we have had a chance to address it.