Please report suspected security vulnerabilities privately through GitHub Security Advisories:

https://github.com/YMRYMR/vigil/security/advisories/new

Use GitHub Security Advisories for private vulnerability reporting. If that workflow is unavailable, do not open a public issue; use a private maintainer contact path instead.

Please include:

• affected Vigil version or commit
• operating system and architecture
• a clear description of the issue
• reproduction steps or proof-of-concept details when safe to share
• whether the report may be publicly credited

Do not open a public GitHub issue for vulnerabilities until a fix or mitigation is available.

This is a volunteer-maintained project. I will make a best effort to:

• acknowledge security reports within 7 days
• provide an initial assessment within 14 days
• provide a remediation or disclosure plan within 90 days unless the issue is already fixed or the reporter agrees to a shorter timeline

The latest released version is the supported version. Users should update to the latest release before reporting issues unless the issue only affects a historical release.

Confirmed vulnerabilities are treated as confidential until a fix or mitigation is prepared and released. Once a fix is available, the vulnerability may be documented in release notes, advisories, or both.