If you discover a security vulnerability in MetaGen, please report it responsibly.

1. Do not open a public GitHub issue for security vulnerabilities
2. Email the maintainers directly or use GitHub's private vulnerability reporting
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes (optional)

• Acknowledgment within 48 hours
• Regular updates on progress
• Credit in the security advisory (if desired)

MetaGen is a research artifact that generates code and documents. Security concerns include:

• Code injection: Malicious specs that generate harmful code
• Path traversal: Specs that write files outside intended directories
• Denial of service: Specs that cause excessive resource consumption

• Vulnerabilities in generated code (users should review before execution)
• Issues with third-party dependencies (report to upstream)
• Social engineering attacks

When using MetaGen:

1. Review generated code before execution
2. Validate specs from untrusted sources
3. Run in sandboxed environments when testing untrusted specs
4. Keep dependencies updated (pip install --upgrade)

We thank all security researchers who responsibly disclose vulnerabilities.