Paca is in an early documentation-first phase.

• Do not open public issues for security vulnerabilities.
• Report vulnerabilities privately to the maintainers once a contact channel is published.
• Include the affected area, impact, reproduction details, and any suggested mitigation.

Security reports may cover:

• authentication and authorization risks;
• data exposure risks involving PostgreSQL, Redis, or message flows;
• unsafe AI agent actions or privilege boundaries;
• supply chain or dependency risks;
• deployment misconfiguration risks.

The project does not yet publish a formal response SLA.

As implementation begins, this document should be updated with:

• a reporting address;
• supported versions;
• disclosure expectations;
• response timelines.