Security fixes are supported on the default branch, main. Older commits, tags, forks, and locally modified installs are not supported unless a maintainer says otherwise.

Please report vulnerabilities in Hacker Bob privately through GitHub private vulnerability reporting from this repository's Security tab. Do not open a public issue or discussion for a suspected vulnerability.

Include as much of the following as you can:

• The affected commit, version, or install path.
• Your operating system, Node.js version, selected host adapter, and host CLI setup.
• Reproduction steps or a minimal proof of concept.
• Expected impact and any data, files, hosts, or credentials involved.
• Suggested fixes or mitigations, if you have them.

We will review reports as quickly as practical and may ask for more detail before confirming impact or preparing a fix.

In scope:

• Vulnerabilities in the MCP server, tools, adapter surfaces, hooks, prompts, or installer.
• Secret leakage, unsafe credential handling, or auth-profile exposure.
• Path traversal, arbitrary file write, or unsafe session storage behavior.
• SSRF, unsafe redirect handling, or unintended local/internal network access caused by Hacker Bob itself.
• Dependency vulnerabilities that create exploitable risk for users of this project.

Out of scope:

• Vulnerabilities in third-party targets scanned with Hacker Bob.
• Bug bounty findings generated by Hacker Bob against another program.
• Reports about targets where you do not have authorization to test.
• Feature requests, support questions, or expected behavior documented in DISCLAIMER.md.

If Hacker Bob finds an issue in another organization, report it through that organization's official disclosure or bug bounty channel, not through this project's security policy.