We release patches for security vulnerabilities in the following versions:

We take the security of PCL seriously. If you discover a security vulnerability, please follow these steps:

Please do not open a public issue on GitHub. Security vulnerabilities should be reported privately.

Send a detailed report to: security@pclang.org or create a private security advisory on GitHub.

Include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if available)

• We will acknowledge receipt of your vulnerability report within 48 hours
• We will provide a detailed response within 7 days
• We will work with you to understand and resolve the issue promptly

• We request that you do not disclose the vulnerability until we have had a chance to address it
• Once a fix is available, we will:
  • Release a security patch
  • Publish a security advisory
  • Credit you for the discovery (unless you prefer to remain anonymous)

When using PCL:

• Always validate and sanitize user input before processing
• Use PCL's built-in validation mechanisms
• Be cautious with dynamic persona composition

• Implement proper authentication for registry access
• Use role-based access control for team operations
• Secure API keys and credentials

• Use encrypted connections (HTTPS/TLS) for registry communication
• Regularly audit registry access logs
• Keep registry backend software up to date

• Be cautious when executing dynamically generated PCL code
• Validate workflow definitions before execution
• Use sandboxing for untrusted persona execution

• Regularly update dependencies using npm audit
• Review security advisories for PCL and its dependencies
• Use npm audit fix to patch known vulnerabilities

The PCL Bootstrap system for AI chat interfaces should be used with:

• Trusted AI providers only
• Proper rate limiting
• Input validation for persona commands
• Monitoring for unusual activity

Different backends have different security profiles:

• JSON File Backend: Local filesystem permissions apply
• SQLite Backend: Database file permissions critical
• PostgreSQL Backend: Network security and authentication required

Security updates are released as soon as possible after a vulnerability is confirmed. Subscribe to our GitHub releases to stay informed.

PCL aims to help organizations meet compliance requirements. See:

• PCL Governance
• Security Model
• Compliance Quick Reference

For security concerns that are not vulnerabilities (questions, best practices, etc.), please open a regular GitHub issue or discussion.

Last Updated: January 18, 2026