We take security seriously. If you discover a security vulnerability, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email us at: juan@vertice-maximus.com
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any suggested fixes (optional)

• Response Time: Within 48 hours
• Resolution: We aim to resolve critical issues within 7 days
• Disclosure: We will coordinate disclosure with you

The following are in scope:

• Authentication/Authorization bypasses
• Data exposure
• XSS, CSRF, SQL Injection
• Remote code execution

• Denial of Service (DoS)
• Social engineering
• Physical security

This project follows:

• OWASP Top 10 guidelines
• Firebase Security Rules for data protection
• Environment variables for sensitive configuration
• No secrets in client-side code

We appreciate responsible disclosure and will acknowledge security researchers who help improve our security.