kos is a numerical library — pure-function metrics on numpy arrays, no network calls, no file I/O outside what the user invokes. The realistic threat surface is small. But if you find something worth reporting, please report it privately rather than opening a public issue.

Email security@xylem-group.org with:

• A description of the issue and the affected primitive (markout, vpin, if_stress, or another module).
• A minimal reproduction (test case or array input).
• Whether you've shared it elsewhere (private disclosure timeline matters).

We'll acknowledge within 72 hours and aim to fix or comment on a path forward within two weeks. We don't run a paid bug bounty for this repo.

• Numerical-stability concerns at extreme inputs (e.g., markout on arrays with inf or all-NaN slices). Open a regular issue or PR — these are correctness bugs, not security issues.
• Methodology disagreements (e.g., "VPIN bucket sizing should differ"). Open a regular issue or PR.
• Issues in dependencies (numpy). Report those upstream.

kos is pre-release; only the latest release tag and main are supported.