# Security policy
## Supported versions
The `main` branch and the most recent tagged release receive security
fixes. Older releases are best-effort.
## Reporting a vulnerability
Please report suspected vulnerabilities **privately** via GitHub's
private advisory flow:
<https://github.com/paulnsorensen/hallouminate/security/advisories/new>
If that is not available, email <paulnsorensen@gmail.com>. Encrypted email
is welcome.
When reporting, please include:
- A description of the issue and its impact.
- Steps to reproduce, or a proof-of-concept.
- Affected version(s) or commit SHA.
- Any suggested mitigation, if you have one.
We aim to acknowledge reports within **3 business days** and to share
a remediation timeline within **10 business days**. Please give us a
reasonable window to ship a fix before public disclosure — typically
**90 days**, sooner if a fix is shipped earlier or if the issue is
already public.
## Scope
In scope:
- The source code in this repository.
- Released artifacts (binaries, packages) produced from this repo.
Out of scope:
- Third-party dependencies — please report those upstream.
- Self-hosted deployments configured outside the project's
documented defaults.
- Social-engineering or physical-access attacks.
Thanks for helping keep the project safe.