Do not open public issues for security findings. Instead:
- Email: security@phenotype.dev (or kooshapari@gmail.com until org mailbox exists)
- GitHub private vulnerability reporting: https://github.com/KooshaPari/DataKit/security/advisories/new
- Vulnerabilities in this repo's code, dependencies, or CI
- Credential leaks
- Supply-chain concerns (typosquatting, compromised deps)
- Acknowledgment within 48h
- Triage + severity call within 7d
- Fix timeline per severity (CRITICAL: 7d, HIGH: 30d, MEDIUM/LOW: next release cycle)
Coordinated. We'll publish an advisory once a fix is available or after 90d if unfixed.