Semantic GPS is a 0-customer MVP. There is no formal disclosure SLA yet.

If you find something that looks like a real security issue (cross-org data leakage, auth bypass, SSRF, credential exfiltration, prompt-injection that defeats configured policy), email security@bosnjak.io with the subject line SECURITY: <short summary>. Best-effort response — usually within a few days.

Please don't open a public GitHub issue for security reports, and don't run automated scanners against the hosted demo without coordinating first.