If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Email security concerns to security at hadriangateway.com
3. Include steps to reproduce, potential impact, and any suggested fixes
4. Allow up to 90 days for a fix before public disclosure

We follow a 90-day coordinated disclosure policy:

• We aim to release a fix within 90 days of the initial report
• If a fix requires more time, we will negotiate an extended timeline with you
• You are free to publicly disclose the vulnerability after 90 days, or sooner if a fix has been released

• The Hadrian Gateway application and its APIs
• Authentication and authorization mechanisms
• Data handling and storage
• Configuration and deployment security

• Third-party services and dependencies (report these to the respective maintainers)
• Social engineering attacks
• Denial of service attacks
• Attacks requiring physical access

We believe in recognizing the work of security researchers. With your permission, we will:

• Credit you in the security advisory and release notes
• Add you to a security contributors list

If you prefer to remain anonymous, we will respect that.