If you discover a security vulnerability in CloakLLM, please report it responsibly through GitHub Security Advisories:

1. Go to the Security Advisories page
2. Click "New draft security advisory"
3. Fill in the details of the vulnerability

For SDK-specific vulnerabilities, you may also report directly on the affected repo:

• CloakLLM-PY Security Advisories
• CloakLLM-JS Security Advisories

Please do NOT open a public GitHub issue for security vulnerabilities.

• Acknowledgment within 48 hours of your report
• Status update within 7 days with an assessment and timeline
• Fix or mitigation as soon as feasible, typically within 30 days

The following are in scope for security reports:

• PII detection bypass (false negatives that leak sensitive data)
• Token map leaks (PII persisting in memory after request completion)
• Audit log tampering or integrity bypass
• Dependency vulnerabilities with a viable exploit path

• False positives in PII detection (report as a regular issue)
• Denial-of-service via large inputs (known limitation)
• Vulnerabilities in dependencies without a demonstrated impact on CloakLLM