# Security Policy

## Reporting a Vulnerability

If you discover a security issue in the NoJS Skill (e.g., a prompt injection vector in the skill content or references), please report it responsibly.

**Do NOT open a public GitHub issue for security vulnerabilities.**

Instead, please email **<contact@no-js.dev>** with:

- A description of the vulnerability
- Steps to reproduce the issue
- Any potential impact assessment

### What to expect

- **Acknowledgment** within 48 hours of your report
- **Status update** within 7 days with an assessment and expected timeline
- **Fix and disclosure** coordinated with you before any public announcement

### Scope

The following are in scope:

- Prompt injection via skill content or reference files
- Incorrect security guidance in generated code patterns
- Sensitive information disclosure in skill metadata

### Out of scope

- Vulnerabilities in the No.JS framework itself (report those to the [framework repo](https://github.com/ErickXavier/no-js))
- Issues in the AI tool consuming the skill (Claude Code, etc.)