If you discover a security vulnerability in ResumeForge, please report it responsibly:

1. Do not open a public GitHub issue for security vulnerabilities.
2. Email the maintainer directly or use GitHub's private vulnerability reporting.
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Impact assessment
   • Suggested fix (if any)

• Acknowledgment: within 48 hours
• Triage: within 5 business days
• Fix: critical vulnerabilities patched within 14 days

• All dependencies are pinned to exact versions (==) in requirements.txt
• pip-audit runs in CI to detect known vulnerabilities
• bandit static analysis runs on every PR
• JWT tokens require a non-empty secret in production
• Passwords are hashed with bcrypt via passlib
• API keys are compared using hmac.compare_digest (timing-safe)
• CORS is restricted in production (no wildcard with credentials)
• Docker containers run as non-root (UID 1000)
• MongoDB connections use authenticated URIs