This document outlines our procedures for reporting vulnerabilities and the security practices for divine-thegraph-token-api.

We actively maintain only the latest released version. Please upgrade to the newest release to receive security updates.

If you believe you have found a security issue, please contact us before disclosing it publicly.

• Create a security advisory on GitHub.
• Or email [email protected] (PGP available on request).

We aim to respond within 3 business days. During this time please keep the details confidential. We will work with you to validate and address the issue as quickly as possible.

The project uses GitHub's security features:

• Dependabot for dependency updates and vulnerability alerts.
• CodeQL analysis and static scans on every push.
• Bandit, Safety, and Trivy scans during CI workflows.

We request a 90‑day period to remediate validated vulnerabilities before any public disclosure. After a fix is released we will credit you in the release notes if desired.

We appreciate the community's help in keeping this project secure.