# Security Policy
## Reporting a Vulnerability
If you discover a security vulnerability, please report it through [GitHub's private vulnerability reporting](https://github.com/arimxyer/models/security/advisories/new). Do not open a public issue.
Please include:
- A description of the vulnerability
- Steps to reproduce it
- The potential impact
- The version you tested against
You can expect an initial response within 72 hours.
## Scope
This policy covers:
- The `models` / `agents` CLI and TUI binary
- Dependencies shipped with the crate
- Data handling (API responses, cached data, user configuration)
## Supported Versions
Only the latest release is supported with security fixes.
## Disclosure
We aim to release a fix within 30 days of confirming a vulnerability. We will coordinate with you on a public disclosure timeline and credit all reporters in the release notes unless you prefer to remain anonymous.