If you believe you have found a security vulnerability in YAMS, please report it responsibly.

Reporting

• Do not open public tickets for vulnerabilities.
• Email: admin@yamsmemory.ai (PGP optional)
• Include: affected version/commit, platform, impact, minimal PoC and repro steps, logs if available.

Response targets

• Acknowledge receipt within 48 hours.
• Triage within 7 days; we will inform you of severity and next steps.
• Fix or mitigation target within 90 days for high/critical, the best effort otherwise.

Disclosure

• We prefer coordinated disclosure. We will credit reporters unless you ask otherwise.
• CVEs: If warranted, we will request a CVE and share the ID in the advisory.

Scope

• YAMS daemon, CLI, plugins maintained in this repo.
• Excludes third‑party dependencies (report upstream) and unsupported forks.

Supported versions

• Main branch and the latest minor release line receive security fixes.