If you discover a security vulnerability in Maestro, please report it responsibly.

Email: [email protected]

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgement: Within 2 business days
• Initial assessment: Within 5 business days
• Fix or mitigation: Depends on severity, but we aim for 30 days for critical issues

We follow a 90-day coordinated disclosure window. If you report a vulnerability, we ask that you:

1. Do not disclose publicly until we have released a fix or 90 days have passed
2. Do not exploit the vulnerability beyond what is necessary to demonstrate it
3. Do not access or modify other users' data

This policy applies to the Maestro codebase and its official packages:

• @evalops/maestro and all @evalops/* packages
• Official Docker images (ghcr.io/evalops/maestro)
• The Maestro VS Code extension and JetBrains plugin

We appreciate security researchers who help keep Maestro safe. With your permission, we will acknowledge your contribution in the relevant release notes.