Security Policy

We take security seriously and appreciate responsible disclosures.

Supported Versions

• Active development branch: main
• Docker images built via infra/docker-compose.yml

Reporting a Vulnerability

• Please report privately by opening a security advisory or emailing: security@yourdomain.example
• Include a description, reproduction steps, impact, and any mitigations.
• Do not open public issues for sensitive reports.

Handling

• We will acknowledge receipt within 3 business days.
• We will investigate, assign severity, and propose a fix or mitigation timeline.
• Credit will be given upon request once a fix is released.

Release Appendices

• Security Posture — Release 0.1.13

Non‑Goals

• Bug bounties are not currently offered.