# Security Policy
This document describes how security vulnerabilities related to the
PIC Protocol implementation are handled.
---
## Supported Versions
Only the latest stable release is supported for security updates
at any given time.
Earlier versions are provided for reference only and are not maintained.
---
## Reporting a Vulnerability
Security issues **must be reported privately**.
Please use GitHub Security Advisories:
https://github.com/pico-protocol/pic-rs/security/advisories/new
Do **not** open public issues for security vulnerabilities.
---
## Scope
We consider vulnerabilities that could compromise the:
- confidentiality,
- integrity,
- or availability
of this implementation or its users.
---
## Response Timeline
We aim to:
- acknowledge reports within **5 business days**,
- provide an assessment or resolution within **30 days**, when feasible.
Timelines may vary depending on severity and complexity.
---
## Credit
We are happy to publicly acknowledge security reporters in release notes
unless anonymity is requested.
---
## Governance
Security response and coordination are handled by **Nitro Agility S.r.l.**
---
## Disclaimer
This security policy is provided for **informational purposes only**.
Nothing in this document creates any obligation, warranty, or liability for:
- Nitro Agility S.r.l.
- The PIC Model creator (Nicola Gallo)
- Project maintainers or contributors
Specifically:
- There is **no obligation** to respond to any report within any timeframe
- There is **no obligation** to fix, patch, or remediate any reported issue
- There is **no obligation** to provide support, updates, or maintenance
- There is **no warranty** that any issue will be addressed
Response timelines stated above are **goals, not commitments**.
All security matters are handled at the sole discretion of Nitro Agility S.r.l.
This policy may be changed at any time without notice.