If you discover a security vulnerability, please report it by:

1. Email: Send details to the project maintainer (check GitHub profile for contact info)

2. GitHub Security Advisory: Use GitHub's private vulnerability reporting

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Fix Timeline: Depends on severity (critical: ASAP, others: next release)

When using this template:

• Keep dependencies up to date (pixi run security to check for vulnerabilities)
• Never commit secrets (use .env files and add them to .gitignore)
• Review third-party dependencies before adding them

Security researchers who responsibly disclose vulnerabilities will be credited in release notes (unless they prefer to remain anonymous).