# Security Policy

## Supported Versions

The project is actively maintained on the default branch. Security fixes are released through normal commit and deployment flow.

## Reporting a Vulnerability

If you discover a security issue, please avoid public disclosure before a fix is available.

1. Open a private security report channel through repository issue workflow (mark with `security`).
2. Include impact, reproduction steps, and affected files/routes.
3. If available, include a proof-of-concept and mitigation suggestions.

## Response Targets

1. Acknowledge receipt within 72 hours.
2. Complete triage and severity assignment within 5 business days.
3. Publish a remediation plan and release timeline after triage.

## Disclosure Process

1. Patch and validate in CI.
2. Deploy fix and monitor error/performance regressions.
3. Publish a summary without exposing sensitive exploit details.

## Safe Harbor

Good-faith security research that avoids data destruction, service disruption, or privacy violations is welcome.