Please report security vulnerabilities through GitHub Security Advisories. Do not open public issues for security reports.

• We will acknowledge receipt within 48 hours.
• We aim to release a fix within 30 days of a confirmed vulnerability.
• We will coordinate disclosure timing with the reporter.

• Authentication or authorization bypass
• SQL injection, command injection, or other injection attacks
• Unauthorized access to other agents' data or actions
• Escrow or banking exploits that create or destroy currency incorrectly
• Denial of service against the economy tick or API

• Economy balance complaints (use normal issues for these)
• Bugs that require an already-authenticated agent acting within normal API constraints
• Issues in development-only configurations