This is the default security policy that propagates to my repositories without their own. Repos that handle credentials, network surfaces, or sensitive workflows ship a more specific SECURITY.md (e.g., gone-phishing).

For most of my repos:

Repos that ship security-sensitive functionality may have a more specific support matrix in their own SECURITY.md.

Do not report security vulnerabilities through public GitHub issues, discussions, or PRs.

Use one of these private channels:

1. Preferred: Open a GitHub Security Advisory on the affected repo (private — only visible to maintainers and you)
2. Alternative: Reach me through my GitHub profile — current contact methods are listed there

• Clear description of the issue and its impact
• Steps to reproduce (proof-of-concept where applicable)
• The version / commit hash where you observed the issue
• Your assessment of severity (critical / high / medium / low) and reasoning
• Whether you've disclosed the issue elsewhere

• Acknowledgment within 72 hours
• Triage within 7 days with a rough timeline
• Fix or mitigation within 30 days for high/critical issues; lower-severity may take longer
• Coordinated disclosure. Once a fix ships, I'll publish a security advisory crediting you (with your permission). Anonymous reports are also fine.

• Vulnerabilities in upstream dependencies — please report to the respective maintainer (and feel free to ping me as well so I can update the affected repos)
• Vulnerabilities in third-party services my code integrates with — please report to the respective vendor
• Issues that require physical access to deployment hosts
• Social engineering attacks against me or contributors
• Denial-of-service attacks against your own deployment

Across the repos here:

• Credential leakage via error messages, logs, or response bodies
• Authentication bypass in any deployment configuration
• Prompt injection that escalates privilege or exfiltrates data in AI-integrated repos
• Path traversal in any file-handling code
• XSS that survives sanitization layers in chat/UI repos
• Dependency vulnerabilities I've missed in requirements.txt / package.json / mix.exs

If you're not sure whether something qualifies as a vulnerability, err on the side of reporting privately.