<!-- SPDX-License-Identifier: PMPL-1.0-or-later -->
# Security Policy
## Reporting a Vulnerability
If you discover a security vulnerability, please report it responsibly.
**Email:** j.d.a.jewell@open.ac.uk
**Please include:**
- Description of the vulnerability
- Steps to reproduce
- Potential impact
**Response timeline:**
- Acknowledgement within 48 hours
- Initial assessment within 7 days
- Fix or mitigation within 90 days
**Safe harbour:** We will not pursue legal action against security researchers who follow responsible disclosure.