We take security vulnerabilities seriously. Please do not open a public GitHub issue for security vulnerabilities.

1. Email: Open a GitHub Security Advisory (preferred)
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
   • Suggested fix (if available)

• Acknowledgement: Within 48 hours
• Initial assessment: Within 7 days
• Fix/patch: Within 30 days for critical issues

We follow coordinated disclosure. Once a fix is available, we will:

1. Release the patch
2. Credit the reporter (unless anonymity is requested)
3. Publish a security advisory

When using this project:

• Keep dependencies up to date
• Never commit API keys or secrets to version control
• Use environment variables for sensitive configuration