We release updates to skills on a quarterly basis. Security issues are addressed as soon as possible.
| Version | Supported |
|---|---|
| Latest (main branch) | ✅ |
| Older commits | ❌ |
If you discover a security vulnerability in any skill, please report it by:
- DO NOT open a public issue
- Email the maintainers (or use GitHub Security Advisories)
- Include:
- Affected skill(s)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Response Time: Within 48 hours
- Updates: Every 5-7 days during investigation
- Resolution: Security patches released ASAP
- Credit: Public acknowledgment in release notes (if desired)
- ✅ Use skills from official marketplace only
- ✅ Keep skills updated (check quarterly)
- ✅ Review skill code before using in production
- ✅ Report suspicious patterns or vulnerabilities
- ✅ Never include credentials, tokens, or API keys
- ✅ Validate all user inputs in examples
- ✅ Follow SAP security best practices
- ✅ Use latest stable package versions
- ✅ Document known security considerations
Skills provide guidance on SAP APIs and services. Always:
- Use environment variables for secrets
- Never hardcode credentials
- Follow SAP's security recommendations
- Implement proper authentication/authorization
Skills reference npm packages and SDKs. Always:
- Verify package authenticity
- Check for known vulnerabilities
- Use lock files for reproducible builds
- Keep dependencies updated
This security policy covers:
- ✅ Skills content and recommendations
- ✅ Documentation and examples
- ✅ Repository infrastructure
This policy does NOT cover:
- ❌ SAP products themselves (report to SAP)
- ❌ Third-party packages (report to package maintainers)
- ❌ Claude Code/Desktop platforms (report to Anthropic/Factory)
Thank you for helping keep SAP Skills secure! 🔒