If you discover a security vulnerability in VX itself, please report it responsibly:

1. Do not open a public GitHub issue
2. Email the maintainer or use GitHub Security Advisories
3. Include steps to reproduce and potential impact

We will acknowledge receipt within 48 hours and provide a fix timeline.

This policy covers the VX tool itself. For vulnerabilities found by VX in other applications, please report them to the respective application owners.