If you believe you have found a security vulnerability in the OpenCALL specification, reference implementations, or any @opencall package, please report it privately.

Contact: Use GitHub's private security advisory feature at https://github.com/opencall-api/call-api/security/advisories/new, or email the maintainer listed on the npm package page.

Please include:

• A description of the issue and its potential impact.
• Steps to reproduce, or a proof-of-concept.
• The affected package(s), version(s), and spec section if applicable.

Security fixes are issued for the latest minor version of every published @opencall package, and for the latest patch of the previous minor where feasible. Older versions are not patched; upgrade to a current release.

We aim to acknowledge reports within 72 hours and provide a remediation plan within 7 days. Coordinated disclosure timelines are agreed with the reporter on a case-by-case basis.