If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Email security@false-systems.com with:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
3. You will receive an acknowledgment within 48 hours
4. We will work with you to understand and address the issue before any public disclosure

• No unsafe code — #![deny(unsafe_code)] enforced across all crates
• No secret handling — POLKU does not store credentials; authentication is delegated to the transport layer (TLS, mTLS)
• Input validation — all gRPC inputs are validated before processing
• Bounded resources — buffer capacity, batch size, and channel depth are all bounded to prevent resource exhaustion