This policy covers the contents of this repository:
packages/evalkit/— theauraone-evalkitPython package andevalkitCLI.robotics-reviewkit/— schemas, exporters, validators, and the static viewer.resources/— open documents and writing.
The hosted AuraOne platform (https://auraone.ai), its APIs, and its infrastructure are out of scope for this repository's security policy. For platform security reports, email security@auraone.ai.
| Version | Supported |
|---|---|
| 0.1.x | Yes |
Please report security issues privately. Do not open a public GitHub issue.
- Email: security@auraone.ai
- Subject:
[auraone-open] <short description>
Include:
- The component affected (
evalkit,robotics-reviewkit, etc.). - A description of the issue and its impact.
- Steps to reproduce, ideally with a minimal proof-of-concept.
- Any suggested mitigation.
We will acknowledge receipt within 3 business days and aim to provide an initial assessment within 10 business days.
- Arbitrary code execution from processing a rubric, dataset, episode JSON, or other user-supplied input.
- Path traversal or unsafe file writes from CLI commands.
- Insecure deserialization in schema or exporter code.
- Supply-chain issues in published artifacts (PyPI wheel/sdist).
- Defaults that surprise you but are documented.
- Behavior of the hosted AuraOne platform (report via security@auraone.ai instead).
- Issues in third-party tools we wrap but do not maintain.
We prefer coordinated disclosure. We will work with you on a timeline that gives users time to upgrade before public details are published.