| Version | Supported |
|---|---|
| 0.0.x | Yes |
Only the latest release on main receives security updates.
Report vulnerabilities through GitHub's private vulnerability reporting.
Send an email to hello@verygood.ventures with a [SECURITY] subject prefix.
- A description of the vulnerability
- Steps to reproduce the issue
- Affected files or components
- Acknowledgment — within 5 business days
- Assessment — within 10 business days
- Notification — you will be notified when a fix is released
This is a documentation-only plugin with no Dart/Flutter source code. The security-relevant surface areas are:
- Insecure code examples that developers may copy into production
- Outdated or misleading security guidance (especially the
static-securityskill) - Recommendations that contradict current best practices
- Command injection vulnerabilities
- Unsafe path handling
- Unintended code execution
- Excessive permissions
- Exploitable MCP server definitions
We are happy to acknowledge reporters in the fix PR upon request.