# Security Policy

## Supported Versions

This project is currently maintained on the `main` branch only.

| Version | Supported |
| ------- | --------- |
| main    | ✅        |

## Reporting a Vulnerability

If you discover a security issue, please report it privately first.

Preferred channels:

1. Open a private security advisory in GitHub (if enabled).
2. If private advisory is not available, open an issue with minimal details and
   request a private follow-up from maintainers.

Please include:

- A clear description of the vulnerability
- Affected files/endpoints/flows
- Reproduction steps or proof of concept
- Potential impact
- Suggested remediation (if available)

## Response Expectations

- Initial triage target: within 3 business days
- Status update target: within 7 business days
- Fix timeline depends on severity and release constraints

We will coordinate disclosure timing after remediation is available.