If you discover a security vulnerability in Mulder, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Use GitHub Security Advisories or private vulnerability reporting for this repository. If private reporting is unavailable, contact the maintainers through the repository's public maintainer metadata.

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

• Acknowledgment: Within 48 hours
• Assessment: Within 1 week
• Fix: Depends on severity, but we aim for:
  • Critical: 7 days
  • High: 14 days
  • Medium: 30 days
  • Low: 90 days

• Never expose your .env file or GCP credentials
• Use IAM roles with minimal permissions for the Cloud Run service account
• Enable audit logging in your GCP project
• Keep dependencies up to date

No instance-specific config, live domains, real cloud resource IDs, private accounts, or deployment credentials belong in tracked files.