If you discover a security vulnerability in this project, please report it responsibly.

1. Do NOT create a public GitHub issue for security vulnerabilities.
2. Please email the maintainers directly or use GitHub's private vulnerability reporting.
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 30 days (depending on severity)

• Acknowledgment of your report
• Regular updates on the progress
• Credit in the release notes (unless you prefer to remain anonymous)

This project follows security best practices including:

• Pinned dependencies with commit SHA verification
• Minimal token permissions in CI/CD workflows
• Regular dependency updates via Dependabot
• OpenSSF Scorecard monitoring

We follow a coordinated disclosure policy. Please allow us reasonable time to address vulnerabilities before public disclosure.