If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Use GitHub Security Advisories to report privately
3. Include steps to reproduce, affected versions, and potential impact

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix release: As soon as possible, depending on severity

This policy covers the hono-webhook-verify npm package. Security issues in dependencies should be reported to the respective maintainers.

This library follows these security principles:

• Constant-time signature comparison to prevent timing attacks
• Timestamp validation to mitigate replay attacks (where supported by provider)
• Empty secret rejection at construction time to prevent misconfiguration
• Web Crypto API for all cryptographic operations (no custom implementations)