This policy applies to the public opencharacterbook repository.

If you discover a security issue, please report it privately and include:

• affected component (backend/, frontend/, docs, or repo config)
• reproduction steps
• impact assessment
• suggested mitigation (if available)

Do not post sensitive exploit details in public issues.

We aim to:

1. acknowledge receipt quickly
2. validate and triage
3. provide mitigation guidance
4. publish a fix and disclosure note when appropriate

• Never commit real credentials or secrets.
• Keep .env files local; use .env.example for templates only.
• Avoid including private or internal endpoints in public docs unless intentionally documented.
• Ensure screenshots and demo artifacts are sanitized and safe to publish.