If you discover a security vulnerability in Shroud, please report it through GitHub Security Advisories. Do not open a public issue.

You should receive an initial response within 72 hours. Once confirmed, fixes will be prioritized and released as soon as practical.

Shroud is a detection and masking tool — vulnerabilities in the encryption (AES-256-GCM, PBKDF2-SHA512), token generation (HMAC-SHA256), or pattern logic that could leak sensitive data are all in scope.