Security

SECURITY.md

Security Policy

Supported scope

This repository is currently public-alpha readiness software.

Reporting a vulnerability

Please do not disclose vulnerabilities publicly first.

Report privately with:

affected component/path
reproduction steps
impact assessment
optional patch suggestion

Temporary contact process (until dedicated security inbox is published):

Open a private channel with the project operator/maintainer and include "[SECURITY]" in the subject/title.

Response targets (best effort)

Initial acknowledgment: within 72 hours
Triage decision: within 7 days
Fix timeline: based on severity and exploitability

Disclosure policy

Coordinated disclosure preferred.
Public advisories may be published after mitigation is available or risk is otherwise managed.

Out-of-scope for bounty/guarantee

There is currently no paid bug bounty program.

There aren’t any published security advisories