Skip to content

Security: humaidhahm/opencode-pentester

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you find a security issue in opencode-pentester, please report it privately. Do not open a public issue.

Preferred channel: Open a GitHub Security Advisory at github.com/humaidhahm/opencode-pentester/security/advisories/new.

What to Include

  • Affected file or component
  • Affected version
  • Reproduction steps
  • Observed impact
  • Any suggested fix

What We Commit To

  • Acknowledge receipt within 3 business days
  • Initial triage within 7 business days
  • Coordinated disclosure window of up to 90 days for confirmed vulnerabilities
  • Credit in the changelog if desired

Scope

In scope:

  • Agent definition files (agents/, plugins/pentest/agents/)
  • Skill definitions (SKILL.md, plugins/pentest/skills/)
  • Installer scripts (install-tools.sh)
  • Audit checklists (AI-CHECKLIST.MD, manual-checklist.md)
  • Documentation files

Out of scope:

  • Third-party tools the agents drive (nmap, ffuf, sqlmap, etc.) — report upstream
  • Theoretical issues without reproduction
  • The opencode platform itself

There aren't any published security advisories