If you discover a security vulnerability in HELM Pilot, please report it privately via email:
Do NOT open a public GitHub issue for security vulnerabilities.
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Affected versions or components
- Potential impact assessment
- Acknowledge your report within 48 hours
- Triage and fix critical vulnerabilities within 7 days
- Non-critical issues are prioritized in the next release cycle
We follow coordinated disclosure. Once a fix is released, we will credit reporters (unless anonymity is requested) in the release notes.
| Version | Supported |
|---|---|
| 0.1.x | Yes |
This policy covers the HELM Pilot repository, including the gateway, orchestrator,
intelligence pipeline, scoring engine, and HELM policy packs. Third-party
dependencies are tracked via npm audit in CI.