| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| 0.3.x | ✅ |
| 0.2.x | ✅ |
| 0.1.x | ✅ |
If you discover a security vulnerability in the V-Model Extension Pack, please report it responsibly.
- Do NOT open a public issue. Security vulnerabilities must be reported privately.
- Email: Open a private security advisory on GitHub.
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours of your report.
- Assessment of severity and impact within 1 week.
- Fix and disclosure coordinated with you before any public announcement.
This extension generates markdown files and runs shell scripts for deterministic parsing. Security concerns may include:
- Shell injection via user-provided arguments passed to helper scripts
- Path traversal in script file operations
- Sensitive data exposure in generated specification documents
- Vulnerabilities in Spec Kit itself (report those upstream)
- Issues with the AI agent's behavior (these are prompt engineering concerns, not security vulnerabilities)