Please report security vulnerabilities through GitHub Security Advisories.

Do not open a public issue for security vulnerabilities.

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix or mitigation: as soon as practical, coordinated with reporter

This policy covers the @vllnt/convex-flags npm package. Issues in Convex itself should be reported to Convex.