If you discover a security vulnerability in logic-md, please report it responsibly:

1. Do NOT open a public issue.
2. Use GitHub's private vulnerability reporting to submit your report.
3. Include as much detail as possible: steps to reproduce, affected versions, and potential impact.

You can expect an initial response within 72 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.

This policy covers the following packages:

• @logic-md/core — Parser, validator, expression engine, DAG resolver, compiler
• @logic-md/cli — CLI tooling
• @logic-md/mcp — MCP server

We follow coordinated disclosure. Once a fix is available, we will publish a security advisory and credit the reporter (unless they prefer to remain anonymous).