Please report suspected vulnerabilities privately to the maintainers before public disclosure. Include:

• Affected component and version/tag
• Reproduction steps
• Impact assessment
• Suggested fix (if available)

• Initial acknowledgement target: within 3 business days
• Triage and severity assessment: as quickly as possible after reproduction
• Coordinated disclosure after patch and release planning

This policy applies to evaluator code, release automation, and published artifacts in this repository. Third-party benchmark infrastructure may require separate disclosure paths.