Claude Code Project Lacks Critical Security Disclosure Policy, Raising Risk for Open-Source Users

The Claude Code project, an open-source tool that manages sessions capable of executing arbitrary commands, is operating without a formal vulnerability disclosure policy. This absence of a documented security process creates a significant blind spot for users and contributors who may discover critical flaws. The repository lacks a standard `SECURITY.md` file, either in the project root or the `.github/` directory, which is a foundational security practice for software handling high-risk operations.

This oversight is particularly acute given the project's function. Claude Code sessions can execute arbitrary commands, a capability that, if exploited through an undisclosed vulnerability, could lead to severe security incidents. Without a clear, public policy, security researchers have no official channel to report findings responsibly, increasing the likelihood that vulnerabilities remain unpatched or are disclosed in unsafe ways. The issue was flagged by an automated development agent, highlighting a gap that human maintainers may have overlooked.

The lack of a security policy not only exposes end-users to potential risk but also reflects on the project's operational maturity and its commitment to secure development practices. For an open-source project in this domain, the failure to establish basic security governance signals a potential weakness in its overall security posture. It places the onus on users to assess their own risk, as there is no formal framework for coordinated vulnerability disclosure and patching.