Please report suspected vulnerabilities through GitHub private vulnerability reporting:

https://github.com/gastownhall/gascity/security/advisories/new

Do not open a public issue, public discussion, or public pull request for a security vulnerability before the maintainers have had time to investigate and release a fix.

Include as much of the following as you can:

• Affected version, commit, or release asset.
• Reproduction steps or proof-of-concept details.
• Expected and observed impact.
• Relevant logs, terminal output, or screenshots with secrets removed.
• Whether the issue is already being exploited or publicly discussed.

Maintainers will acknowledge a valid private report within three business days when possible, triage severity, and coordinate disclosure through the GitHub security advisory. If a fix is needed, it will be released before public disclosure unless there is an active exploitation risk that requires faster notice.

Security fixes target the current stable major release unless a separate support window is announced in release notes.

Gas City coordinates local and remote agent workflows. Security reports are in scope when they affect confidentiality, integrity, or availability in normal supported use, including:

• Agent isolation, workspace boundaries, and command execution.
• Git operations, release workflows, and repository publishing paths.
• Secrets handling, logs, generated artifacts, and configuration files.
• Beads data in .gc/ directories when used through Gas City.

Expected behavior in trusted local development environments, documented administrative actions, and vulnerabilities in third-party tools should be reported to the relevant upstream project unless Gas City creates a new or materially worse exposure.

Release archives are published through GitHub Releases with SHA-256 checksums, SBOM assets, and GitHub artifact attestations generated by GitHub Actions. Homebrew formulas install release archives by checksum.

Direct-download users should verify checksums and attestations before installing or upgrading. See the installation guide for the current commands.