- Please report vulnerabilities privately to: security@your-domain.example (replace with project email).
- We aim to acknowledge reports within 72 hours and provide a remediation timeline.
- Do not open public issues for sensitive security reports.
Scope:
- All code under this repository and published release artifacts.
- Supply chain (GitHub Actions, SBOMs, signatures) included.
PGP/GPG: If you need to encrypt your report, request our public key via email.