| Version | Supported |
|---|---|
| 1.36.x | Yes |
| < 1.36 | No |
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Use GitHub Private Vulnerability Reporting
- Or email: security@fusengine.ch
- Description of the vulnerability
- Steps to reproduce
- Affected files or hooks
- Potential impact
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Fix release: Within 14 business days for critical issues
- Hook scripts (
plugins/core-guards/scripts/) - Settings manipulation (
scripts/src/services/) - MCP server configurations
- API key handling (
env-manager.ts) - Shell command injection in bash scripts
- Markdown content (SKILL.md, agent docs)
- Claude Code itself (report to Anthropic)
- Third-party MCP servers (report to maintainers)
This project enforces security through hooks:
- git-guard.sh - Blocks destructive git commands (force push, reset --hard)
- security-guard.sh - Validates dangerous shell commands
- install-guard.sh - Confirms before package installations
- Secret scanning - Enabled on GitHub to detect leaked credentials