# Security Policy


# Reporting a Vulnerability

If you believe you have found a security vulnerability in this project, we encourage you to report it responsibly. Please do not open a public issue. Instead, please use the Report a vulnerability function available via the security tab.

Your report should include (if possible):

- a clear description of the vulnerability, including impact and affected versions
- steps to reproduce the issue
- any relevant code snippets, logs, or proof-of-concept exploit
- suggested remediation or mitigation, if known

We aim to acknowledge receipt of your report within 7 business days and provide an update on remediation progress within 14 business days.


# Coordinated Disclosure

We follow a coordinated disclosure approach. Once the issue is confirmed and a fix is ready, we will:

- notify you prior to public disclosure
- credit you in the release notes (unless you prefer to remain anonymous)
- publish a security advisory and update affected versions
- if severe enough, assist with publishing a CVE


# Security Best Practices

To minimize your exposure:

- always use the latest stable release
- avoid running our tools with unnecessary privileges
- review and validate third-party extensions or plugins before use
