If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue.
2. Email the maintainer at the address listed in the NuGet package metadata, or use GitHub Security Advisories.
3. Include a description of the issue, steps to reproduce, and any potential impact.

You can expect an initial response within 72 hours. Confirmed vulnerabilities will be patched in a new release as soon as practical.

This policy covers the JD.SemanticKernel.Connectors.ClaudeCode library and the sample CLI tools distributed in this repository. Third-party dependencies are managed via Dependabot and reviewed regularly.