Please report security issues privately — do not open a public GitHub issue.

Two equally good options:

1. GitHub Security Advisory — preferred. From the repo, open Security → Advisories → Report a vulnerability. This creates a private discussion thread between you and the maintainers.
2. Email — mariano.blua@gmail.com. Use the subject line [AC SECURITY] so it doesn't get lost. Encryption optional; if you need a key, request one in your first message.

Please include:

• A description of the issue and the impact you observed.
• Steps to reproduce (sample input, sample agent config, AC version, OS).
• Any proof-of-concept code.
• Your name + contact (or a pseudonym) for credit, if you want it.

We follow a 90-day coordinated disclosure window from the date of receipt:

• Day 0: You report the issue.
• Day ≤7: We acknowledge receipt.
• Day ≤30: We confirm the issue, scope the fix, and share a timeline.
• Day ≤90: A fix is shipped and a public advisory is published.

If a fix lands sooner, we publish sooner. If the fix needs more than 90 days (e.g., it requires a dependency upgrade we don't control), we coordinate an extension with you in writing.

• Issues in dependencies that are already publicly disclosed upstream.
• Vulnerabilities in code paths that require local administrator privileges to reach.
• Social-engineering / phishing scenarios.
• Reports generated by automated scanners without manual validation.

If your report concerns user data (telemetry, network egress, third-party services), see PRIVACY.md first — many concerns are answered by the no-telemetry stance and the per-feature opt-in model.

Reporters who follow this policy and want public credit are listed in the release notes for the fix.