Skip to content

Security: sjnims/requirements-expert

Security

Report a vulnerability

SECURITY.md

Security Policy

Supported Versions

We release patches for security vulnerabilities for the following versions:

Version Supported
0.5.x

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them using one of the following methods:

Preferred: GitHub Private Vulnerability Reporting

  1. Go to the Security Advisories page
  2. Click "Report a vulnerability"
  3. Fill out the advisory details form

This is the preferred method as it allows us to work with you privately to fix the issue before public disclosure.

Alternative: Email

If you prefer, you can also email security concerns to: sjnims@gmail.com

Please include:

  • Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
  • Full paths of source file(s) related to the issue
  • Location of the affected source code (tag/branch/commit or direct URL)
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit it

What to Expect

After you submit a vulnerability report, you can expect:

  1. Acknowledgment: We'll acknowledge receipt of your report within 48 hours
  2. Initial Assessment: We'll assess the issue and determine its severity within 5 business days
  3. Regular Updates: We'll keep you informed about our progress
  4. Fix Timeline: We aim to release a fix within 30 days for critical issues, 90 days for others
  5. Credit: With your permission, we'll credit you in the security advisory and release notes

Security Update Process

When a security vulnerability is confirmed:

  1. We'll develop and test a fix
  2. We'll prepare a security advisory
  3. We'll coordinate disclosure timing with you
  4. We'll release the fix and publish the advisory
  5. We'll update this SECURITY.md if needed

Security Best Practices for Users

For Plugin Users

  1. Keep Updated: Always use the latest version of the plugin
  2. GitHub CLI: Keep your gh CLI updated (check version with gh --version)
  3. Permissions: Only grant the minimum required GitHub permissions (repo, project)
  4. Authentication: Use GitHub's recommended authentication methods
  5. Review Commands: Review what each /re:* command does before running it

For Contributors

  1. No Secrets in Code: Never commit API keys, tokens, or credentials
  2. Dependencies: Keep dependencies minimal (this plugin has only GitHub CLI as external dependency)
  3. Code Review: All changes go through pull request review
  4. Markdown Linting: Run markdownlint before committing to catch potential issues
  5. Test Locally: Always test with claude --plugin-dir plugins/requirements-expert before pushing

Claude Code Plugin Security Considerations

This plugin has specific security measures unique to Claude Code plugins:

  1. Restricted Tool Access: Commands use Bash(gh:*) pattern to limit shell access to GitHub CLI only, following the principle of least privilege

  2. No Credential Storage: The plugin never stores credentials - all authentication is handled by GitHub CLI (gh auth)

  3. No Local State: No sensitive data is cached locally; GitHub Projects is the single source of truth

  4. Hook Safety: The UserPromptSubmit hook only performs pattern matching on user input and does not execute arbitrary code

  5. Agent Tool Limitations: The requirements-assistant agent requires unrestricted Bash (Claude Code platform limitation), but only executes gh CLI commands in practice

  6. Input Validation: All user-provided values (project names, issue titles) are passed through GitHub CLI, which handles escaping

When reviewing contributions, verify:

  • Commands use Bash(gh:*) restriction, not unrestricted Bash
  • No hardcoded secrets or credentials
  • No local file writes for sensitive data
  • Hook patterns don't enable code injection

Scope

This security policy applies to:

  • The requirements-expert Claude Code plugin
  • All components: commands, skills, agents, hooks
  • GitHub CLI integration code
  • Documentation that affects security

Out of Scope

The following are not covered by this security policy:

  • Vulnerabilities in Claude Code itself (report to Anthropic)
  • Vulnerabilities in GitHub CLI (report to GitHub)
  • Vulnerabilities in GitHub Projects (report to GitHub)
  • Third-party integrations not maintained by this project

Security Disclosure Policy

We follow coordinated disclosure:

  • We'll work with you to understand and fix the issue
  • We'll agree on a disclosure timeline (typically 90 days)
  • We'll credit you (if you wish) when we publish the advisory
  • We ask that you don't publicly disclose until we've released a fix

Recognition

We appreciate the security research community's efforts to improve the security of this plugin. Security researchers who responsibly disclose vulnerabilities will be:

  • Acknowledged in the security advisory (if they wish)
  • Credited in release notes
  • Listed in this file's Hall of Fame (if they wish)

Hall of Fame

No security issues have been reported yet.

Contact

Additional Resources

Note: This security policy was last updated: December 13, 2025

There aren’t any published security advisories