Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in Regium, please report it privately:

Email: security@regium.dev (placeholder — replace with your contact)
Or use GitHub's private security advisory feature.

Please do not open public GitHub issues for security vulnerabilities.

Disclosure Timeline

We will acknowledge receipt within 3 business days.
We aim to provide an initial assessment within 7 business days.
We follow a 90-day coordinated disclosure window.

Scope

In scope:

Validators producing incorrect results that could lead to compliance failures
Metadata accuracy issues with material legal impact
Supply-chain or build-time vulnerabilities
Bugs allowing arbitrary code execution via untrusted plugin input

Out of scope:

Vulnerabilities in user code consuming Regium
Issues requiring physical access or already-compromised environments

There aren't any published security advisories