If you discover a security vulnerability in UCAI, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email the maintainers directly at contact@nirholas.dev
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 30 days for critical issues

When using UCAI:

• Never commit private keys to version control
• Use environment variables for sensitive data
• The PRIVATE_KEY environment variable is only needed for write operations

• Review generated code before deployment
• Use --read-only mode when write operations aren't needed
• Enable simulation mode (default) for write operations

• Use authenticated RPC endpoints in production
• Consider rate limits and access controls
• Avoid exposing RPC URLs in public repositories

We appreciate responsible disclosure and will acknowledge security researchers who help improve UCAI's security.