Skip to content

Security: ichiorca/claude-code-guardrails

Security

SECURITY.md

Security policy

Reporting a vulnerability

If you find a way to bypass the policy gate, tamper with the audit chain undetected, or forge a receipt, that is a vulnerability in this project — please report it privately via GitHub's Report a vulnerability (Security → Advisories) on this repository rather than opening a public issue. Include a reproduction (ideally as a redteam.py case). You should receive a response within a week.

Known, documented weaknesses are not vulnerabilities — see Honest limitations in the README before reporting:

  • Regex command matching is a tripwire, not a sandbox; the red-team suite ships known evasions on purpose (scripts/redteam.py).
  • The audit chain is tamper-evident, not tamper-proof.
  • Receipts use symmetric HMAC; whoever can verify can sign.
  • Role scoping trusts the agent_type field; it is not cryptographic identity.

A report that converts a documented evasion into a silent bypass of a rule that claims to cover it is in scope.

Supported versions

Only the latest release receives fixes.

There aren't any published security advisories