The Defensive OpSec Operating Standard cites ISO/IEC 29147 (coordinated vulnerability disclosure). This file walks the talk.

• Preferred channel: GitHub Security Advisories (private)
• Subject: [deepsec-skill] vulnerability report
• Encryption: PGP key on request
• Acknowledgement SLA: 72 hours
• Initial assessment SLA: 7 days
• Coordinated disclosure window: 90 days, negotiable

A copy of this contact is also at /.well-known/security.txt.

• The standard, the agent skill (deepsec/SKILL.md), the methodology, the references index, and the specimens hosted at https://www.deepsec-skill.dev/.
• Prompt-injection or absorption-bypass paths against the activation precedence, canary, or conflict-detection design (see ADR-0002).
• Citation-integrity defects in references.json or specimens. Sources mis-tiered, claims that fail triangulation, fabricated verified_on timestamps.

• Vulnerabilities in upstream vercel-labs/deepsec: report those to https://github.com/vercel-labs/deepsec/security.
• Vulnerabilities in adopters' own CLAUDE.md files or host projects.
• Theoretical attacks on agent-skill registries that don't traverse this project's surfaces.

Good-faith research that respects this policy will not be pursued legally. We follow ISO/IEC 29147 and the CISA Coordinated Vulnerability Disclosure Process.