Skip to content

Security: getaskclaw/fable-session

SECURITY.md

Security policy

fable-session is an unofficial tool and is not affiliated with Anthropic. Do not report issues in Anthropic products here, and do not report fable-session issues to Anthropic.

Reporting a vulnerability

The only supported reporting channel is GitHub private vulnerability reporting on the official repository, https://github.com/getaskclaw/fable-session — the "Report a vulnerability" button under the repository's Security tab. That channel keeps a report private between you and the maintainers until a fix is available.

If the "Report a vulnerability" button is not visible to you there, the channel has not (yet) been switched on by the maintainers or the repository is not (yet) accessible to you; in that case please wait and try again later rather than reporting anywhere else.

Please do not open a public issue for a security problem, and do not include real credentials, private transcripts, or personal data in a report — synthetic reproductions are enough.

There is no other reporting channel; this project deliberately publishes no security contact address.

Scope

Reports are welcome for anything that breaks this tool's documented guarantees, for example:

  • prompt/task content leaking into manifests, watchdog state, or audit output (these must carry only hashes, sizes, and structural metadata);
  • the runner emitting forbidden flags (--fallback-model, --continue, --resume, --dangerously-skip-permissions) or an unpinned model;
  • symlink/path-traversal escapes past the state layer's O_NOFOLLOW hardening, or non-atomic manifest/state writes;
  • the watchdog or audit claiming completion, purity, or interruption that the structured evidence does not prove.

Out of scope: anything that requires acting as the same UID as the tool's own user (a documented limitation), and any request to make the tool bypass, weaken, or evade safety safeguards — that is not a supported use case and will not be fixed "as a feature".

Supported versions

Only the latest release line — 0.3.x, currently the 0.3.0b1 public beta — receives security fixes.

There aren't any published security advisories