Security fixes are provided for the latest release on the main branch.

Please report vulnerabilities privately by email:

• security@yault.xyz

Do not open public GitHub issues for suspected security vulnerabilities.

Please include:

• A clear description of the issue and impact.
• Reproduction steps or a proof of concept.
• Affected versions/commits.
• Any proposed mitigation, if known.

• Initial acknowledgement target: within 72 hours.
• Triage and severity assessment: as soon as possible after acknowledgement.
• Fix timeline: based on severity and exploitability.
• Coordinated disclosure: preferred after a fix is available.

This policy covers:

• The @yault/aesp npm package and its published artifacts.
• The yault-mcp CLI binary bundled with the package.

Out of scope:

• The Yault backend API (report to the backend team directly).
• Third-party dependencies (report to the upstream maintainer, and notify us if it affects AESP).