Do not open a public issue for security vulnerabilities.

Please report security issues by emailing security@isms.sh. Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact

• Acknowledgement within 2 business days.
• Initial assessment within 5 business days.
• Fix or mitigation timeline communicated after assessment.

Security fixes are applied to the latest release only. We recommend always running the most recent version.

We follow coordinated disclosure. We will credit reporters (unless anonymity is requested) once a fix is released.