Please do not open public issues for potential vulnerabilities.

Use one of the following private channels:

• GitHub private vulnerability reporting (Security Advisories) when available.
• Email the maintainers at security@neonkiez.dev.

Include reproduction steps, affected files, impact estimate, and any proof of concept.

• We acknowledge new reports within 14 days.
• We provide an initial triage decision within 14 days.
• We target remediation for confirmed critical and high-severity issues within 60 days.
• If a fix cannot be completed within 60 days, we publish a mitigation and revised timeline.

• Reports are handled under least-privilege access and shared only with responders.
• We coordinate disclosure timing with the reporter when possible.
• We avoid logging sensitive proof-of-concept payloads in public channels.