• Email furolabs@gmail.com with a clear, concise description, impact, and proof-of-concept (if available). Include affected repo/commit, logs or screenshots, and repro steps.
• Do not open public GitHub issues for security reports.
• For encryption, request our PGP key or include your key; we will respond with our fingerprint.

• Impact and severity as you see it
• Affected repo, branch/commit, or release version
• Reproduction steps and minimal proof-of-concept
• Expected vs. actual result, plus any logs/screenshots

• Acknowledgment: within 2 business days
• Initial assessment: within 5 business days
• Status updates: at least weekly until resolution
• Fix SLAs (targets): Critical 7 days; High 14 days; Medium 30 days; Low 60 days (business or calendar days depending on issue complexity)

• Acknowledgment: within 2 business days.
• Initial assessment: within 5 business days.
• Status updates: at least weekly until resolution.

• Coordinated disclosure by default; we will agree on a reasonable timeline with you.
• We aim to publish advisories and fixes once a mitigation is available and users have had time to update.
• We will request CVEs for qualifying issues and include acknowledgments when permitted.

• In scope: code, configs, CI/CD workflows, secrets exposure, and infrastructure-as-code in this repository.
• Out of scope: social engineering, physical attacks, spam or unsolicited automated traffic, and denial-of-service or load-testing against our infrastructure.
• No brute-force attacks against accounts or rate-limit evasion.

• If you make a good-faith effort to comply with this policy, avoid privacy violations, and do not degrade or disrupt services, we will consider your research authorized and will not pursue legal action.

With your consent, Furo Labs may publicly credit you for responsibly reporting the issue. If you prefer anonymity, please state that in your report.

Email: furolabs@gmail.com

Thank you for helping us keep Furo Labs secure.