If you discover a security vulnerability in the AIJP protocol specification or reference artifacts, please report it responsibly through GitHub's private security advisory channel:

Report a vulnerability on GitHub

This keeps the report private until a fix is released and coordinated disclosure is complete.

Please include:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact assessment
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution Plan: Within 14 days

This security policy covers:

• The AIJP protocol specification (specification/AIJP_Protocol_cn.md)
• The canonical enum registry (specification/registry_cn.md)
• The JSON Schemas (schemas/) and examples (examples/)
• The reference validator and conformance suite (tests/)
• Official documentation in docs/ and docs_cn/

Because AIJP drives consequential work, the specification carries a security four-pack for high-risk jobs (§29): a signed/short-lived/single-use approval grant, idempotency (exactly-once on retry), a dry-run preview, and fail-closed risk grading. The machine-checkable validator enforces the high-risk approval gate (rule 14) and idempotency-on-retry (rule 13). Reports that defeat these gates are in scope.

AIJP is an authoring / orchestration layer, not a runtime or a complete security framework. The following are documented honest limits, not vulnerabilities:

• AIJP does not execute consequential actions — execution is delegated via execute_with to AISOP / AIAP / tools / humans / external services (§7.9 / §20). The safety of the delegated executor (and its authorization against AIAP) is that executor's responsibility, not AIJP's.
• Durable execution is delegated, not reinvented — retry persistence, exactly-once, and crash recovery are compatible with but delegated to Temporal / Dapr-class runtimes ("checkpoint ≠ durable execution"); AIJP defines the retry / idempotency_key contract, not the durable engine — see AIJP_Protocol_cn.md §4 / §20.1.
• Knowledge poisoning via write-back is gated and governed, not prevented — the AIKP write-back gate (validate → distill → decay/supersede) reduces the memory-poisoning / error-accumulation surface, but the final judgment is delegated to the implementation (typically an LLM) and the AIKP governance layer — see AIJP_Protocol_cn.md §21.1.
• The high-risk trigger is a conservative machine proxy, not a guarantee — rules 13/14 fire on action_class / capability hints (destructive / open_world); this forces the approval/idempotency gates structurally but does not certify that a delegated agent is actually aligned — see AIJP_Protocol_cn.md §20.2 / §26.
• Version history / rollback for the work artifacts is delegated to the host VCS (local git) and off-site copies, not reinvented in JSON — see AIJP_Protocol_cn.md §4.

We follow a coordinated disclosure process. Please do not publicly disclose vulnerabilities until a fix has been released and announced.

Align Axiom 0: Human Sovereignty and Wellbeing. AIJP v0.1.0. www.aijp.dev