If you discover a security vulnerability in the ACP specification or conformance test suite, please report it responsibly.

Email: security@primoia.ai

Do NOT open a public GitHub issue for security vulnerabilities.

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Which part of the spec or test suite is affected
• Potential impact assessment

• 48 hours — We will acknowledge receipt of your report
• 7 days — We will provide an initial assessment and expected fix timeline
• 30 days — We aim to release a fix or mitigation

We will credit reporters in the changelog unless they prefer to remain anonymous.

This policy covers:

• The ACP v1 JSON Schema (spec/acp-v1.json)
• The formal specification (spec/SPEC.md)
• The conformance test suite (conformance/)