This document describes how security concerns should be reported for Riverbraid public repositories.
It is a community health surface only. It does not create certification, legal approval, production readiness, guaranteed response times, staffed security operations, external audit, absolute security, or absence of defects.
This policy applies to public Riverbraid repositories as a reporting and routing surface.
It does not mean every repository is production ready, independently audited, or safe for deployment.
To report a security vulnerability, please open an issue in the most relevant repository or contact the maintainers through the profile channels. We follow a fail closed response posture.
If the concern affects the public Evaluation Kit or the canonical verification floor, use:
Riverbraid-Evaluation-Kit
If the concern affects repository mapping, public documentation, or claim boundaries, use:
Riverbraid-Documentation
Include:
- Repository name
- Affected file or surface
- Observed behavior
- Expected behavior
- Reproduction steps, if applicable
- Whether the issue affects documentation, verification, workflow behavior, or public claims
Riverbraid currently provides public inspection surfaces and verification artifacts. This security policy does not imply a staffed response team, emergency response availability, formal vulnerability disclosure program, bounty program, third party audit, or production deployment support.
This policy does not claim:
- Certification
- Legal approval
- Production readiness
- Absolute security
- External audit
- Complete AI safety
- Guaranteed response time
- Absence of defects