If you discover a security issue in the ai-policy.json specification itself (for example, a way a malicious file could cause harm to parsers, or a semantic ambiguity that could be exploited to bypass intended permissions), please report it privately rather than opening a public issue.

Contact: security@maango.io

We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.

This policy covers the specification document, JSON Schema, and example files in this repository. It does not cover:

• Third-party implementations of the specification
• The Maango Registry API or Policy Builder (those have separate security contacts at maango.io)
• General questions about AI permissions (use Discussions)

We prefer coordinated disclosure. We will work with reporters to understand and resolve issues, and will publicly credit reporters in the CHANGELOG upon resolution unless anonymity is requested.