ContextForge does not currently run a formal security program, security SLA, or dedicated security inbox. Please report security-sensitive issues carefully.

Preferred path:

• Use GitHub private vulnerability reporting for this repository if it is enabled.

If private reporting is not available:

• do not post exploit details, secrets, or proof-of-compromise material in a public issue
• open a minimal public issue asking for a private reporting path, without including sensitive details

When you report a security issue, include:

• affected ContextForge version or commit
• affected operating system and Node version
• the command or workflow involved
• impact summary
• minimal reproduction details if they can be shared safely

Before the first public publish, fixes are handled on the current repository state at maintainer discretion. There is no formal supported-version matrix yet.