• Scope. Anything in the flocks/ tree. Out-of-scope: third-party vendor CLIs (Claude / Codex / Gemini upstream), the user’s own toolchain.
  • Contact. security@flocks.sh (PGP key in repo).
  • Process. Acknowledge in 24h, triage in 72h, fix-or-roadmap in 14d.
We name what we actually enforce. If you find something we claim that the code doesn’t deliver, that’s a security bug — please tell us.