This is the default security policy for @sahil87 projects — the shll AI coding toolkit (idea, hop, fab-kit, wt, run-kit, tu, shll) and related repositories. Individual repos may publish their own SECURITY.md, which takes precedence over this default.

These are actively developed, go install/Homebrew-distributed CLIs. Only the latest release receives security fixes — please update to the latest version before reporting an issue.

Please report security vulnerabilities privately. Do not open a public issue, pull request, or post in Discord for a suspected vulnerability — public disclosure before a fix is available puts users at risk.

Use GitHub's private vulnerability reporting on the affected repository:

On the repo, go to the Security tab → Report a vulnerability (or visit https://github.com/sahil87/<repo>/security/advisories/new).

If the affected repository does not have private reporting enabled, report it privately on this repository instead: https://github.com/sahil87/.github/security/advisories/new.

• The affected project and version (e.g. output of <tool> version)
• A description of the vulnerability and its impact
• Steps to reproduce, or a proof-of-concept where possible
• Any suggested remediation, if you have one

These are best-effort, solo-maintained projects. You can expect:

• An initial acknowledgment within ~1 week
• An assessment of whether the report is accepted, and the planned fix and disclosure timeline if so
• Credit in the advisory and release notes once a fix ships, unless you prefer to remain anonymous

Coordinated disclosure is appreciated: please give a reasonable window for a fix to be released before any public discussion.

For general (non-security) bugs and feature requests, open a normal issue on the relevant repository.