If you discover a security vulnerability, please report it responsibly:

1. Do not open a public GitHub issue
2. Use GitHub Security Advisories to report the vulnerability privately
3. Alternatively, email security concerns to the maintainers

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix timeline: depends on severity, typically within 30 days

When contributing, please:

• Never commit secrets, tokens, or credentials
• Use environment variables for sensitive configuration
• Follow the principle of least privilege in code
• Report any suspicious dependencies