If you discover a security vulnerability in any vcav-io repository, please report it responsibly.
Do not open a public issue.
Email contact@vcav.io with:
- A description of the vulnerability
- Steps to reproduce (if applicable)
- The affected repository and version/commit
We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days.
This policy covers all public repositories in the vcav-io organisation, including:
- agentvault (relay, client, MCP server)
- av-tee (TEE relay, verifier)
- vault-family-core (receipt signing, verification)
- agentvault-registry (artefact registry)
We appreciate responsible disclosure and will credit reporters in the fix commit (unless you prefer to remain anonymous).