Skip to main content
GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as GitHub.
Even though open source repositories are outside of the scope of our bug bounty program and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation.

Reporting Security Issues

If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

How to Report

Instead of using public channels, please send an email to: [email protected]

What to Include

Please include as much of the information listed below as you can to help us better understand and resolve the issue:
  • Type of issue: e.g., buffer overflow, SQL injection, or cross-site scripting
  • Impact: How an attacker might exploit the issue and what they could achieve
  • Full paths: Paths of source file(s) related to the manifestation of the issue
  • Location: The location of the affected source code (tag/branch/commit or direct URL)
  • Special configuration: Any special configuration required to reproduce the issue
  • Step-by-step instructions: Clear instructions to reproduce the issue
  • Proof-of-concept: Proof-of-concept or exploit code (if possible)
This information will help us triage your report more quickly.

Our Commitment

1

Acknowledgment

We will acknowledge receipt of your vulnerability report and send you regular updates about our progress
2

Investigation

We will investigate the issue and work with you to understand the scope and severity
3

Resolution

We will work to remediate the vulnerability and notify you when a fix is available
4

Credit

If you’d like, we will publicly credit you for the responsible disclosure (unless you prefer to remain anonymous)

Policy

See GitHub’s Safe Harbor Policy for more information about our security research policies.
We appreciate the security research community’s efforts to help keep GitHub and our users safe. Thank you for your responsible disclosure.

Scope

What’s Covered

This security policy applies to:
  • The Awesome GitHub Copilot repository code and infrastructure
  • Build scripts and automation
  • Dependencies and third-party integrations
  • Documentation that could lead to security issues

What’s Not Covered

This policy does not cover:
  • Individual instructions, agents, skills, or plugins contributed by the community (report these through GitHub issues)
  • General questions or feature requests (use GitHub issues for these)
  • GitHub Copilot itself (report to GitHub Support)
  • Third-party services or platforms

Security Best Practices

When contributing to this repository:
  • Review code carefully: Ensure contributed resources don’t introduce security vulnerabilities
  • Avoid secrets: Never include API keys, passwords, or other sensitive data in contributions
  • Follow guidelines: Adhere to our Contributing Guidelines which include security considerations
  • Validate inputs: If creating agents or skills that process user input, validate and sanitize properly
  • Least privilege: Workflows should use minimal permissions necessary

Workflow Security

For Agentic Workflows specifically:
  • Use least-privilege permissions in workflow frontmatter
  • Prefer safe-outputs instead of direct write access
  • Avoid hardcoded secrets or credentials
  • Follow the GitHub Agentic Workflows specification

Support

Get help with non-security issues

Contributing

Learn how to contribute safely

Code of Conduct

Community standards and expectations

FAQ

Frequently asked questions

Contact Information

Thank you for helping keep the Awesome GitHub Copilot project and our community safe.

Build docs developers (and LLMs) love

Get started for freeTalk to us