• Please report vulnerabilities privately to: security@your-domain.example (replace with project email).
• We aim to acknowledge reports within 72 hours and provide a remediation timeline.
• Do not open public issues for sensitive security reports.

Scope:

• All code under this repository and published release artifacts.
• Supply chain (GitHub Actions, SBOMs, signatures) included.

PGP/GPG: If you need to encrypt your report, request our public key via email.