Please report vulnerabilities privately and do not disclose them publicly before a fix is available.

When reporting, include:

• Affected version/commit
• Reproduction steps
• Impact assessment
• Suggested mitigation (if available)

1. Acknowledge report receipt
2. Reproduce and triage severity
3. Implement and validate fix
4. Coordinate disclosure timeline

This policy covers the GRIT Engine source code and distributed package artifacts.