If you discover a security vulnerability in daita-agents, please do not open a public GitHub issue.

Instead, report it privately by emailing support@daita-tech.io with:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• Any relevant logs, code snippets, or configuration details

We will acknowledge your report within 48 hours and aim to provide a fix or mitigation plan within 14 days for confirmed vulnerabilities.

This policy covers the daita-agents package and its core framework. It does not cover:

• Third-party LLM provider APIs (OpenAI, Anthropic, etc.) — report those to the respective vendors
• Infrastructure you run yourself using this framework

We apply security fixes to the latest release only. We recommend always running the latest version.

We follow coordinated disclosure. Once a fix is released, we will publish a security advisory on this repository. We credit reporters by name unless you prefer to remain anonymous.