Please do not open public issues for security vulnerabilities. Email security@pointeight.ai with:

• A description of the issue
• A minimal reproduction
• The package and version affected
• Any proposed mitigation

We acknowledge security reports within two business days (Singapore time) and aim to ship a fix or coordinated disclosure within 30 days for high-severity issues. We're a small team — your patience is appreciated.

This policy covers the SDK and CLI code in this repository (packages/node, packages/cli, packages/python, packages/go) and the canonical fixtures and documentation that ships with them.

It does not cover:

• The BCP server itself (openapi.vboxes.org) — report those to the same email but mark the subject [bcp-server].
• The V-Box mobile/web applications — see https://pointeight.ai/legal/ for the V-Box safety contact.
• Vulnerabilities in third-party agents built on top of these SDKs — those are the responsibility of the agent operator.

• Theoretical attacks against the protocol itself with no concrete reproduction
• Issues that require physical access to a developer machine
• Self-inflicted credential exposure (e.g. committing bcp_sk_* keys to a public repo) — rotate the key and move on
• Reports generated by automated scanners with no manual triage

If you'd like a CVE assigned, ask in the report; we coordinate via the GitHub Security Advisories system. Embargo periods are negotiable but default to 30 days.

The current major (v0.x) is supported. Once v1.0 ships, we plan to maintain the latest two majors with security fixes. Pre-1.0 patch releases are best-effort.