If you discover a security vulnerability in any AToolZ project, please report it responsibly.

How to report:

• Use GitHub Security Advisories (preferred)
• Or email: security@atoolz.dev

What to expect:

• Acknowledgment within 48 hours
• Status update within 7 days
• We'll coordinate disclosure timing with you

AToolZ projects are VS Code extensions that run locally. The primary risk vectors are:

• Command injection via extension settings (e.g., binary paths)
• Malicious workspace configuration files
• Dependency supply chain

We provide security updates for the latest published version of each extension.