If you believe you have found a security vulnerability in any of my repositories, please do not open a public issue. Instead, report it privately so it can be assessed and addressed before any public disclosure.

Contact: security@alanberger.me.uk

Please encrypt your report using my PGP key if the details are sensitive.

PGP Fingerprint: D3BD B539 414B DE52 7F1E 6B06 AA2C E026 FA50 DA2F Public key: keys.openpgp.org

For additional contact details and my security.txt, see alanberger.me.uk/.well-known/security.txt.

Where possible, please include:

• The repository name and a description of the affected component
• Steps to reproduce or a proof-of-concept
• The potential impact and severity in your assessment
• Any suggested remediation if you have one

• I will acknowledge receipt of your report within 7 days
• I will aim to provide a remediation or a clear timeline within 90 days of acknowledgement
• I ask that you do not publicly disclose the vulnerability until either the issue is resolved or the 90-day window has elapsed, whichever comes first
• If you have not received an acknowledgement within 7 days, please follow up — your report may not have reached me

This policy applies to all repositories under github.com/alan-berger.

There is no bug bounty programme. These are personal projects maintained in my own time. That said, responsible disclosure is genuinely appreciated and I will acknowledge contributors in any relevant release notes or advisories unless you prefer to remain anonymous.