Security policy

Claude Guides is an educational project. The repository ships curriculum content, runnable notebooks, exercise scaffolding, and a small Python build pipeline that produces a static site. There is no server, no database, no user accounts — but we still take security reports seriously, because a compromised tutorial reaches a lot of beginners.

What's in scope

• Anything that ships in this repository: build scripts under tools/, example code under guides/*/scripts, notebooks, and the static-site generator.
• The claudeguides.berta.one site (built from this repo, served through GitHub Pages and Netlify).
• The CI workflows in .github/workflows/ — credentials handling, action pinning, supply-chain.

What's out of scope

• The Anthropic API itself — please report those to Anthropic.
• Third-party dependencies. If the issue is in a dependency, file it upstream and link the report here so we can pin around it.
• Best-practice nits without a concrete attack scenario (e.g. "you should add HSTS preloading"). Open a normal issue or PR for those.

Reporting a vulnerability

Email hello@rondaninipublishing.com with subject line [security] <one-line summary>. Please include:

1. A clear description of the issue and the impact you can demonstrate.
2. Steps to reproduce (or a minimal proof-of-concept).
3. Affected file paths, commit SHAs, or URLs.
4. Whether you'd like to be credited and how.

We acknowledge reports within 3 working days and aim to ship a fix or mitigation within 30 days for issues that have a real-world impact. For sensitive reports we'll coordinate a disclosure date with you.

Please do not open a public GitHub issue for a vulnerability before we've had a chance to respond. If you don't hear back within five working days, you're free to escalate publicly.

Recognition

We don't run a paid bug bounty, but we'll list you in the release notes for the fix and (if you want) on the contributors page. Thanks for helping keep the curriculum safe.