AnswerCite is committed to operational hygiene, privacy-first architecture, and symbolic trust signaling. We welcome responsible disclosure of vulnerabilities, anomalies, or hygiene gaps across any module.

If you discover a security issue, please:

1. Do not open a public issue.
2. Contact us directly at security@answercite.org or via the private disclosure form at /disclosure.
3. Include:
   • A clear description of the issue
   • Affected module(s) and version(s)
   • Steps to reproduce (if applicable)
   • Suggested remediation (optional)

We aim to respond within 72 hours and coordinate a fix within 7 days, depending on severity.

This policy applies to:

• All AnswerCite repos and modules
• Public endpoints (e.g., /status.json, /badge.svg)
• Schema validators and ingestion pipelines
• Trust badge logic and anomaly flag triggers

AnswerCite modules may surface anomaly flags based on:

• Unexpected schema deviations
• Suspicious ingestion patterns
• Hygiene score thresholds

These flags are symbolic UX signals—not security guarantees. We encourage contributors to help refine flag logic and improve trust metadata.

We do not collect user data, track behavior, or rely on opaque dependencies. All modules are designed with:

• Privacy-first defaults
• Minimal surface area
• Transparent governance scaffolds

Security is a shared responsibility. We value:

• Thoughtful escalation
• Symbolic trust signaling
• Contributor autonomy

Thank you for helping us build safer, cleaner, and more trustworthy tools.