Security fixes are provided for the active main branch.

Do not open public issues for security vulnerabilities.

Send a private report including:

• Description of the issue
• Reproduction steps
• Potential impact
• Suggested mitigation (if available)

Use: security@creatory.dev (placeholder contact for bootstrap phase).

• Initial acknowledgment: within 72 hours
• Triage decision: within 7 days
• Fix timeline: based on severity and exploitability

Please avoid disclosing details publicly until a fix or mitigation is available.