If you've found a security vulnerability in any Luther Systems repository, please report it privately — do not open a public issue.

Preferred: Use GitHub's private vulnerability reporting on the affected repo:

https://github.com/luthersystems/<repo>/security/advisories/new

Alternative: Email infosec@luthersystems.com with details.

Please include:

• Affected repository and (if known) the affected versions, commits, or files
• A description of the vulnerability and its impact
• Steps to reproduce
• Any proof-of-concept code or screenshots

We aim to acknowledge new reports within 2 business days. We'll keep you updated as we investigate, and credit you in any public advisory if you'd like.

Please do not publicly disclose the issue until we've had a reasonable chance to address it.

The following are generally not considered vulnerabilities:

• Findings from automated scanners without a demonstrated impact
• Missing security headers or cookie flags with no exploit path
• Social engineering, phishing, or physical attacks against employees
• Denial-of-service attacks requiring unrealistic resources

Thank you for helping keep our users and infrastructure safe.