# Security policy
Thank you for taking the time to help keep cesauth safe. This document
explains how to report security issues, what is in scope, and what to
expect from us when you do.
## Reporting a vulnerability
**Please do not open a public GitHub issue for security reports.**
Instead, send a private report via one of these channels, in order of
preference:
1. **GitHub Security Advisories** — use the "Report a vulnerability"
button on the repository's Security tab. This creates a private
advisory visible only to the repository maintainers and you.
2. **Email** — `nabbisen@scqr.net` . PGP key available on
request.
In your report, please include:
- A description of the issue and its impact.
- Steps to reproduce, with a minimal proof-of-concept if possible.
- The affected component.
- The version or commit SHA you tested against.
- Your name and contact details for attribution if you want credit.
We will acknowledge your report and aim
to provide a substantive response as soon as possible.