# SkillShield Vulnerability Disclosure Policy **Effective Date:** February 12, 2026 **Last Updated:** February 12, 2026 ## Our Commitment SkillShield is committed to ensuring the security of AI agent ecosystems. We believe in **responsible disclosure** — working with security researchers and developers to fix vulnerabilities before they're publicly disclosed. --- ## Scope This policy applies to: - **AI skills** (SKILL.md files) in our directory - **MCP servers** listed or scanned by SkillShield - **SkillShield's own infrastructure** (API, website, scanner) - **Third-party integrations** using our platform --- ## What We're Looking For We welcome reports of: ### Critical Priority - Remote code execution (RCE) - Credential theft / API key exfiltration - Unauthorized filesystem access - Data exfiltration vulnerabilities - Prompt injection leading to system compromise ### High Priority - Path traversal - Command injection - Privilege escalation - SSRF (Server-Side Request Forgery) - Insecure deserialization ### Medium Priority - Information disclosure - Missing input validation - Weak permission scopes - Dependency vulnerabilities ### Low Priority - Best practice violations - Missing security headers - Documentation issues --- ## Out of Scope The following are **not** eligible for disclosure rewards: - Denial of Service (DoS) attacks - Social engineering attacks - Physical security attacks - Attacks on users (phishing, etc.) - Vulnerabilities in third-party services we use - Issues requiring physical access to user devices --- ## How to Report ### Email (Preferred) **security@skillshield.dev** ### What to Include 1. **Description** — Clear explanation of the vulnerability 2. **Impact** — What could an attacker do? 3. **Steps to reproduce** — Detailed instructions 4. **Proof of concept** — Code, screenshots, or video 5. **Affected resources** — URLs, skill names, MCP servers 6. **Your contact info** — For follow-up questions ### Response Time | Stage | Timeframe | |-------|-----------| | Initial response | 48 hours | | Vulnerability assessment | 5 business days | | Fix development | 30 days (critical), 90 days (high) | | Public disclosure | After fix deployed | --- ## Our Process ``` 1. Report received → Acknowledgment within 48h 2. Triage → Severity assessment 3. Investigation → Confirm and scope 4. Fix development → Work with maintainer 5. Fix deployed → Verify resolution 6. Disclosure → Public acknowledgment (if desired) ``` --- ## Safe Harbor We promise: ✅ **No legal action** against researchers following this policy ✅ **Confidentiality** — Your identity stays private unless you want recognition ✅ **No DMCA** claims for security research ✅ **Acknowledgment** — Public thanks (with your permission) ✅ **Fast response** — We prioritize security reports --- ## Rewards While we don't have a formal bug bounty program yet, we offer: | Severity | Recognition | Swag | |----------|-------------|------| | Critical | Hall of Fame + Blog mention | SkillShield hoodie | | High | Hall of Fame | T-shirt | | Medium | Hall of Fame | Stickers | | Low | Thanks email | — | **Future:** We plan to launch paid bounties as we grow. --- ## Hall of Fame ### 2026 *No disclosures yet — be the first!* --- ## For Skill/MCP Maintainers If we discover a vulnerability in your skill/MCP server: 1. **You'll receive** a private report with full details 2. **You have** 90 days to fix before public disclosure (critical: 30 days) 3. **We can help** with remediation advice 4. **You'll get** credit for the fix, not blame for the bug We believe in **fixing, not shaming**. --- ## Contact | Purpose | Contact | |---------|---------| | Security reports | security@skillshield.dev | | General questions | charles@skillshield.dev | | Twitter DMs | [@charlescsturt](https://twitter.com/charlescsturt) | | PGP Key | [Download](/security/pgp-key.txt) | --- ## Related Policies - [Responsible Disclosure Guidelines](https://skillshield.dev/security/responsible-disclosure) - [Data Handling Policy](https://skillshield.dev/security/data-handling) - [Privacy Policy](https://skillshield.dev/privacy) --- **We appreciate your help in keeping AI agents secure.** 🔒 *This policy is inspired by [GitHub's Security Policy](https://bounty.github.com/) and [Google's VRP](https://bughunters.google.com/).*