Please report security vulnerabilities privately through GitHub's built-in private vulnerability reporting.

Do not open public issues for security reports.

• Acknowledgement within 5 business days
• Status update within 14 days
• Coordinated disclosure preferred; fix timeline depends on severity

In scope

• Vulnerabilities in vercelsior itself (scanner logic, reporting, recording/replay)
• Improper handling of Vercel API tokens or scan artifacts

Out of scope

• Vulnerabilities in Vercel itself — report via Vercel's HackerOne program
• Vulnerabilities in upstream dependencies — report to the dependency maintainers first

Only the latest release receives security fixes.