If you discover a security vulnerability, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Instead, please email the maintainer or use GitHub's private vulnerability reporting.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment — within 48 hours
• Initial assessment — within 1 week
• Fix or mitigation — depends on severity, but we aim for prompt resolution

This policy covers the create-strands-agent CLI tool and the project files it generates. It does not cover third-party dependencies — please report those to their respective maintainers.