If you discover a security vulnerability in any EvalOps repository, please report it responsibly.

Do not open a public GitHub issue, pull request, or discussion for security vulnerabilities.

Instead, email security@evalops.dev with:

• A description of the vulnerability
• Steps to reproduce
• The affected service(s) and version(s)
• Potential impact
• Any proof-of-concept code, logs, or screenshots that are safe to share

We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.

We support security patches for the latest release of each actively maintained service. Archived, experimental, or retired repositories may receive fixes only when they affect an active EvalOps service.

This policy applies to repositories in the evalops GitHub organization.

Please give us a reasonable opportunity to investigate and remediate before public disclosure. We will keep reporters updated as we validate impact, prepare fixes, and coordinate release timing.