If you discover a security vulnerability in this project — whether in the protocol itself, the templates, the skill files, or the repository infrastructure — please report it responsibly.

1. Do NOT open a public issue. Security reports must be private.
2. Email: Send a detailed report to security@affordance.design
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if you have one)

This security policy covers:

• Protocol content — guidance that could lead to insecure practices if followed
• Template vulnerabilities — templates that could expose secrets or create attack vectors
• Skill file injection — skill files that could be manipulated to produce unsafe AI behavior
• Repository infrastructure — CI/CD, GitHub Actions, dependency supply chain

• Vulnerabilities in projects that use PWP (report those to the project maintainers)
• Theoretical attacks that require physical access to a developer's machine
• Social engineering attacks against contributors

The protocol itself enforces security standards:

• protocol/00-mindset.md — No client secrets, sanitize input, enforce auth on backend
• skills/security-audit.skill.md — Comprehensive security audit checklist for AI agents
• protocol/09-dependency-management.md — Dependency evaluation and audit cadence
• templates/deployment-checklist.md — Pre-deploy security verification

We gratefully acknowledge security researchers who responsibly disclose vulnerabilities. With your permission, we will credit you in the CHANGELOG and in a SECURITY-ACKNOWLEDGMENTS.md file.

Thank you for helping keep PWP and its users secure.