d1182af4cf
Fact-check (README positioning): - Template count: 120/123 → 108 (ground truth recount) - Ratio: 14× → 24× (19,000 ÷ 784 = 24.2×) - everything-cc stars: 31.9k → 45k+ (verified Feb 15) - Commands count: 20 → 23, hooks: 30 → 31 Added: - Grepai MCP documentation (semantic search, call graphs) - 3 hook templates (rtk-baseline, session-summary, session-summary-config) - 2 resource evaluations (system-prompts update, qmd token savings) Changed: - RTK documentation overhaul (v0.7.0 → v0.16.0, rtk-ai org) - Exports deprecated (kimi.pdf, notebooklm.pdf → deprecated/) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
68 lines
2.8 KiB
Markdown
68 lines
2.8 KiB
Markdown
# Security Policy
|
|
|
|
## Scope
|
|
|
|
This repository contains **documentation and educational templates** for Claude Code. It does not include executable code that processes user input or runs in production environments.
|
|
|
|
**Security concerns specific to this repository:**
|
|
- Documentation accuracy for security practices
|
|
- Template code quality and security patterns
|
|
- Threat database integrity ([`machine-readable/threat-db.yaml`](./machine-readable/threat-db.yaml))
|
|
|
|
**Out of scope:**
|
|
- Security vulnerabilities in Claude Code CLI itself → Report to [Anthropic](https://github.com/anthropics/claude-code/security)
|
|
- Security issues in MCP servers → Report to respective server maintainers
|
|
|
|
## Reporting a Security Issue
|
|
|
|
If you discover a security concern related to this guide (examples: malicious template, incorrect security advice, threat database inaccuracies), please:
|
|
|
|
1. **Email**: florian.bruniaux@methode-aristote.fr
|
|
- Subject: `[SECURITY] Claude Code Guide - Brief Description`
|
|
- Include: Affected file/section, description, impact assessment
|
|
|
|
2. **GitHub Private Disclosure**: Use [Security Advisories](../../security/advisories/new) for sensitive issues
|
|
|
|
**Response SLA**: We aim to respond within 48 hours and issue fixes within 7 days for critical issues.
|
|
|
|
## Security Resources
|
|
|
|
This guide maintains comprehensive security documentation:
|
|
|
|
- **[Security Hardening Guide](./guide/security-hardening.md)** — MCP vetting, injection defense, audit workflows
|
|
- **[Threat Database](./machine-readable/threat-db.yaml)** — 18 CVEs, 341 malicious skills
|
|
- **[Security Hooks](./examples/hooks/)** — 30 production hooks (bash + PowerShell)
|
|
- **[Security Commands](./examples/commands/)** — `/security-check`, `/security-audit`, `/update-threat-db`
|
|
|
|
## Security Maintenance
|
|
|
|
**Threat Database Updates**: The threat intelligence database is updated based on:
|
|
- CVE announcements and security advisories
|
|
- Community reports of malicious skills/MCP servers
|
|
- Anthropic security bulletins
|
|
- Academic research (e.g., prompt injection papers)
|
|
|
|
**Audit Schedule**:
|
|
- Weekly review of new MCP servers and skills
|
|
- Monthly audit of security documentation accuracy
|
|
- Quarterly full threat database refresh
|
|
|
|
**Last Updated**: 2026-02-11 (v3.26.0)
|
|
|
|
## Coordinated Disclosure
|
|
|
|
If you're a security researcher and find issues affecting multiple repositories in the Claude Code ecosystem:
|
|
|
|
1. Email us first (coordinated disclosure preferred)
|
|
2. We'll coordinate with other maintainers if needed
|
|
3. Public disclosure timing: 90 days or after fix, whichever comes first
|
|
|
|
## Acknowledgments
|
|
|
|
We thank security researchers who have contributed to improving this guide's security content through responsible disclosure.
|
|
|
|
---
|
|
|
|
**Author**: [Florian BRUNIAUX](https://github.com/FlorianBruniaux) | Founding Engineer [@Méthode Aristote](https://methode-aristote.fr)
|
|
|
|
**Guide License**: [CC BY-SA 4.0](./LICENSE)
|