Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: [email protected]

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Response: Within 48 hours acknowledging receipt
• Updates: Every 5 business days on progress
• Resolution: Target 90 days for fix

• We follow coordinated disclosure
• Credit will be given to reporters (unless anonymity requested)
• We will not pursue legal action against good-faith reporters

When contributing:

• Never commit secrets, tokens, or credentials
• OAuth .credential files are stored with chmod 600
• API key .apikey files are stored with chmod 600
• Keychain credentials are stored using macOS security best practices