We take security seriously. If you discover a security vulnerability in SuperClaude Framework, please help us address it responsibly.

Please do NOT create public GitHub issues for security vulnerabilities.

Instead, email us directly at: security@superclaude.dev (or create a private GitHub Security Advisory)

When reporting a vulnerability, please provide:

• Description of the vulnerability and potential impact
• Steps to reproduce the issue with minimal examples
• Affected versions and components
• Suggested fixes if you have any ideas
• Your contact information for follow-up questions

• Initial response: Within 48 hours of report
• Severity assessment: Within 1 week
• Fix timeline: Depends on severity (see below)
• Public disclosure: After fix is released and users have time to update

• Remote code execution vulnerabilities
• Privilege escalation that affects system security
• Data exfiltration or unauthorized access to sensitive information

• Local code execution through hook manipulation
• Unauthorized file system access beyond intended scope
• Authentication bypass in MCP server communication

• Information disclosure of non-sensitive data
• Denial of service through resource exhaustion
• Input validation issues with limited impact

• Minor information leaks
• Configuration issues with security implications
• Dependency vulnerabilities with low exploitability

• Timeout protection: All hooks have configurable timeouts
• Input validation: JSON schema validation for all hook inputs
• Sandboxed execution: Hooks run with limited system permissions
• Error containment: Hook failures don't affect framework stability

• Path validation: Prevents directory traversal attacks
• Permission checking: Validates file system permissions before operations
• Secure defaults: Conservative file access patterns
• Backup mechanisms: Safe fallback when operations fail

• Server validation: Verify MCP server authenticity and integrity
• Communication encryption: Secure channels for all MCP communication
• Timeout handling: Prevent resource exhaustion from unresponsive servers
• Fallback mechanisms: Graceful degradation when servers are compromised

• Input sanitization: All configuration inputs are validated and sanitized
• Secrets management: Secure handling of API keys and sensitive data
• Permission controls: Fine-grained access controls in settings.json
• Audit logging: Track security-relevant configuration changes

# Verify installation scripts before running
cat install.sh | less

# Use development mode for testing
./install.sh --dev

# Check file permissions after installation
ls -la ~/.claude/

{
  "permissions": {
    "deny": [
      "Bash(rm:-rf /*)",
      "Bash(sudo:*)",
      "WebFetch(domain:localhost)"
    ]
  }
}

• Update regularly: Keep SuperClaude and dependencies current
• Review logs: Check ~/.claude/ for suspicious activity
• Monitor permissions: Ensure hooks have minimal required permissions
• Validate configurations: Use provided schemas to validate settings

# Always validate inputs
def validate_input(data: Dict[str, Any]) -> bool:
    required_fields = ["tool", "data"]
    return all(field in data for field in required_fields)

# Handle errors gracefully
try:
    result = process_data(input_data)
except Exception as e:
    return {"status": "error", "message": "Processing failed"}

# Use timeouts for external calls
import signal
signal.alarm(10)  # 10-second timeout

• Input validation: Validate all external inputs
• Error handling: Never expose internal state in error messages
• Resource limits: Implement timeouts and resource limits
• Principle of least privilege: Request minimal required permissions

• All dependencies updated to latest secure versions
• Static security analysis run (bandit, safety)
• Input validation tests pass
• Permission model reviewed
• Documentation updated with security considerations

• Monthly dependency security updates
• Quarterly security review of codebase
• Annual third-party security assessment
• Continuous monitoring of security advisories

Currently, we don't have a formal bug bounty program, but we recognize security researchers who help improve SuperClaude's security:

• Public acknowledgment in release notes and security advisories
• Early access to new features and versions
• Direct communication with the development team

1. Internal assessment of reported vulnerability
2. Fix development with thorough testing
3. Coordinated disclosure with security researcher
4. Public advisory published after fix release
5. Post-mortem to prevent similar issues

• Email: security@superclaude.dev
• PGP Key: Available on request
• Response Time: 48 hours maximum

For general security questions (not vulnerabilities):

• Create a GitHub Discussion with the "security" label
• Check existing documentation in this file
• Review the Contributing Guide for development security practices

• Contributing Guidelines - Secure development practices
• Installation Guide - Secure installation procedures
• Configuration Reference - Security settings

• OWASP Top 10
• Python Security Best Practices
• Node.js Security Best Practices

Last Updated: July 2025
Next Review: October 2025

Thank you for helping keep SuperClaude Framework secure! 🙏