# Security Policy
## Supported Versions
Only the latest release (0.x series) receives security updates. Older versions are unsupported.
## Reporting Vulnerabilities
Please report security vulnerabilities privately through [GitHub Security Advisories](https://github.com/randomm/oo/security/advisories) — this ensures responsible disclosure.
**Do not open a public issue for security vulnerabilities.**
### What to Include
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if known)
### Expected Timeline
We aim to acknowledge reports within 7 days and will communicate a remediation timeline.
## What Qualifies
Security vulnerabilities include:
- Dependency vulnerabilities
- Command injection
- Data exposure
- Authentication/authorization flaws
- Other security-critical issues
## What Doesn't Qualify
These are bugs, not security issues:
- Feature requests
- Non-security functionality bugs
- Performance problems
- UI/UX issues
Report these via [GitHub Issues](https://github.com/randomm/oo/issues).