ToolGlot takes security reports seriously.

Please do not open a public GitHub issue for suspected vulnerabilities.

Use one of these private channels instead:

1. Open a private GitHub vulnerability report: GitHub Security Advisory
2. If the advisory flow is unavailable, open a private maintainer contact via GitHub profile: @SohamDutta

Please include:

• affected version/commit
• clear reproduction steps
• expected vs actual behavior
• impact assessment
• any suggested remediation

• Acknowledgement: within 72 hours
• Initial triage: within 7 calendar days
• Fix or mitigation plan: within 30 calendar days for confirmed issues

Complex vulnerabilities may require more time. We will provide status updates in the advisory thread.

1. We confirm and triage the report privately.
2. We prepare and validate a fix.
3. We publish a patched release and advisory.
4. We credit the reporter (if requested).

ToolGlot runs OpenSSF Scorecard in CI.

If a Scorecard check fails or regresses:

1. Open a GitHub issue labeled area:security and priority:P1.
2. Include the failed check name, workflow link, and remediation plan.
3. Link the issue in the remediation commit/PR.