If you find a security issue in opencode-pentester, please report it privately. Do not open a public issue.
Preferred channel: Open a GitHub Security Advisory at github.com/humaidhahm/opencode-pentester/security/advisories/new.
- Affected file or component
- Affected version
- Reproduction steps
- Observed impact
- Any suggested fix
- Acknowledge receipt within 3 business days
- Initial triage within 7 business days
- Coordinated disclosure window of up to 90 days for confirmed vulnerabilities
- Credit in the changelog if desired
In scope:
- Agent definition files (
agents/,plugins/pentest/agents/) - Skill definitions (
SKILL.md,plugins/pentest/skills/) - Installer scripts (
install-tools.sh) - Audit checklists (
AI-CHECKLIST.MD,manual-checklist.md) - Documentation files
Out of scope:
- Third-party tools the agents drive (nmap, ffuf, sqlmap, etc.) — report upstream
- Theoretical issues without reproduction
- The opencode platform itself