If you discover a security vulnerability, please report it by:

1. Opening a private security advisory in this repository
2. Providing a detailed description of the vulnerability
3. Including steps to reproduce the issue
4. Suggesting a fix if possible

Please do not disclose security vulnerabilities publicly until they have been addressed.

• Initial response: within 48 hours
• Status update: within 7 days
• Fix timeline: depends on severity

This project follows these security practices:

• Dependencies are regularly updated via Dependabot
• All PRs require review before merging
• Sensitive data is never committed to the repository
• Environment variables are used for secrets