# Security Policy
## Supported Versions
Only the latest published version on crates.io receives security fixes. We do not backport to older versions.
## Reporting a Vulnerability
**Please do not open a public GitHub issue for security vulnerabilities.**
Use GitHub's private vulnerability reporting:
[Report a vulnerability](https://github.com/SuperSwinkAI/Swink-Agent/security/advisories/new)
Include:
- A clear description of the vulnerability and its impact
- Steps to reproduce or a minimal proof-of-concept
- The affected crate(s) and version(s)
- Any suggested fix if you have one
We aim to acknowledge reports within **3 business days** and to publish a fix and advisory within **30 days** for confirmed vulnerabilities. We will credit reporters in the advisory unless you request otherwise.
## Scope
This policy covers the `swink-agent` workspace crates published to crates.io. Vulnerabilities in upstream dependencies should be reported to those projects directly; we will update our dependency on a fixed version as promptly as possible.