If you discover a security vulnerability in SpecOrca, please report it responsibly. Do not open a public GitHub issue.

Instead, email the maintainers directly or use GitHub's private vulnerability reporting feature on this repository.

Please include:

• A description of the vulnerability and its potential impact.
• Steps to reproduce or a proof-of-concept.
• The version(s) of SpecOrca affected.

• Acknowledgement within 3 business days.
• Assessment and fix as soon as practical; we aim to release a patch within 14 days for confirmed vulnerabilities.

This policy covers the SpecOrca Python package (spec_orca) and its default Claude Code backend integration. Third-party backends are outside this scope — please report issues with those to their respective maintainers.