| Version | Support Status |
|---|---|
| 1.5.x (current) | Full support — security and bug fixes |
| 1.4.x | Security fixes only |
| < 1.4 | No longer supported |
Do not open a public GitHub Issue for security vulnerabilities.
Report security issues privately via GitHub Security Advisories. This keeps the details confidential until a fix is released.
- CAST version (
cat ~/.claude/cast-version) - Operating system and shell version
- The hook or script involved (
route.sh,post-tool-hook.sh, etc.) - Steps to reproduce
- Potential impact assessment
| Severity | Acknowledgement | Target remediation |
|---|---|---|
| Critical | 48 hours | 14 days |
| High | 48 hours | 30 days |
| Medium/Low | 5 business days | Next release |
We will keep you updated throughout the remediation process and credit you in the release notes unless you prefer to remain anonymous.
The following are not in scope for this security policy:
- Social engineering attacks
- Physical access attacks
- Vulnerabilities in the Claude API itself (report to Anthropic)
- Vulnerabilities in third-party tools (bats, jq, etc.) — report to those projects directly
We follow responsible disclosure. Once a fix is available, we will:
- Release the patched version
- Publish a security advisory with CVE (if applicable)
- Credit the reporter (with permission)