# Security Policy
## Supported Versions
Security fixes are handled on the latest released version of Cinder. Before the
first stable release, report issues against `main`.
## Reporting a Vulnerability
Please do not open a public issue for vulnerabilities that could expose wallet
material, transaction-signing behavior, or user funds.
Report privately by contacting the maintainers through the repository security
advisory flow, or email the project owner if a private advisory channel has not
yet been enabled.
Include:
- Affected version or commit.
- Steps to reproduce.
- Whether a wallet, keypair, transaction signature, or RPC credential may be
exposed.
- Any suggested mitigation.
## Handling Expectations
The maintainers will acknowledge valid reports, investigate impact, and prepare
a fix before public disclosure when appropriate.