If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue
2. Email the maintainer or use GitHub Security Advisories
3. Include a description of the vulnerability, steps to reproduce, and potential impact

• Acknowledgment: within 48 hours
• Assessment: within 1 week
• Fix: depends on severity, targeting 2 weeks for critical issues

This policy covers the hive-vault Python package and its MCP server components. It does not cover:

• The Obsidian vault content (user data)
• Third-party dependencies (report upstream)
• Ollama or OpenRouter services (report to their maintainers)