We take security seriously. If you discover a security vulnerability, please report it responsibly.

1. Do NOT create a public GitHub issue for security vulnerabilities
2. Email security concerns to the maintainers (see MAINTAINERS.md)
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
   • Any suggested fixes (if applicable)

• Acknowledgment within 48 hours
• Status update within 7 days
• Coordinated disclosure timeline discussion

Security concerns include but are not limited to:

• Authentication/authorization bypasses
• Data exposure or leakage
• Injection vulnerabilities (SQL, command, etc.)
• Cryptographic weaknesses
• Supply chain vulnerabilities
• Container escape vectors

This project uses the following cryptographic primitives:

Deployed instances should implement:

• Content-Security-Policy
• Strict-Transport-Security
• X-Content-Type-Options
• X-Frame-Options
• Referrer-Policy
• Permissions-Policy

All DNS zones should be signed with:

• DNSSEC (full chain validation)
• ZONEMD (zone integrity)

Security advisories will be published via GitHub Security Advisories.