We take security seriously. If you discover a security vulnerability, please report it responsibly.

1. DO NOT create a public GitHub issue for security vulnerabilities
2. Use GitHub's private vulnerability reporting feature (Security tab → "Report a vulnerability")

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 90 days for critical issues

@mlieberman85, @pxp928, @trmiller

When contributing, please ensure:

• No hardcoded secrets or credentials
• Dependencies are up to date
• Input validation is implemented
• Secure coding practices are followed

When vulnerabilities are reported in our dependencies that do not affect this project, we will provide VEX (Vulnerability Exploitability eXchange) statements explaining why the vulnerability is not exploitable in our context.

VEX statements will be published as:

• GitHub Security Advisories with "not affected" status
• VEX documents in this repository (when applicable)

For more information about VEX, see:

• OpenVEX Specification
• CISA VEX Guide