# Security Policy

We take the security of this project seriously. Thank you for taking the time
to responsibly disclose any issues you find.

## Supported Versions

Security updates are applied to the versions below. If you are running an
unsupported version, please upgrade before reporting.

| Version | Supported          |
| ------- | ------------------ |
| latest  | :white_check_mark: |
| < latest| :x:                |

> Adapt this table to your project's actual release line (e.g. `1.x`, `0.9.x`).

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues,
discussions, or pull requests.** Public disclosure before a fix is available
puts every user at risk.

Instead, report privately using **GitHub's private vulnerability reporting**:

1. Go to the **Security** tab of this repository.
2. Click **Report a vulnerability** (under *Advisories*).
3. Fill in the form with the details below.

If private vulnerability reporting is not available, email
**<security@example.com>** *(replace with your security contact)* instead.

Please include:

- A description of the vulnerability and its potential impact.
- Steps to reproduce (proof-of-concept, affected versions, configuration).
- Any known mitigations or workarounds.

## What to Expect

| Stage                | Target                                            |
| -------------------- | ------------------------------------------------- |
| Acknowledgement      | within **3 business days** of your report         |
| Initial assessment   | within **7 business days**                        |
| Fix / status update  | we will keep you informed at least **every 14 days** until resolved |
| Public disclosure    | coordinated with you, typically after a fix ships |

We will credit you in the advisory unless you ask to remain anonymous.

## Scope

In scope:

- The code in this repository and its official release artefacts.
- Supported versions listed above.

Out of scope (typically):

- Vulnerabilities in third-party dependencies — report those upstream, though
  we appreciate a heads-up so we can bump the dependency.
- Issues requiring physical access, social engineering, or a compromised
  developer machine.
- Denial of service from unrealistic resource exhaustion.

## Safe Harbor

We will not pursue legal action against researchers who:

- Make a good-faith effort to avoid privacy violations and service disruption.
- Report promptly and do not exploit the issue beyond what is needed to prove it.
- Do not disclose the issue publicly before a coordinated fix.

Thank you for helping keep this project and its users safe.