Please do not report security vulnerabilities through public GitHub issues.

Send a description to hello@codegress.com with:

• Type of issue (e.g. regex denial-of-service, panic on untrusted input)
• File paths and line numbers of the affected source code
• A minimal reproduction case if possible
• Impact assessment — what an attacker could achieve

You should receive an acknowledgement within 48 hours and a resolution plan within 7 days.

We follow coordinated disclosure. Once a fix is released we will publish a security advisory on GitHub and credit the reporter (unless anonymity is requested).