SECURITY.md

# Security Policy

## Supported Versions

This repository is currently in beta.
Security fixes are handled on the latest `main` branch.

## Reporting a Vulnerability

Please report vulnerabilities privately to:
- Robin@veristatesystems.com

Include:
- Affected component/file
- Reproduction steps
- Impact assessment
- Suggested remediation (if available)

## Disclosure Policy

- Please do not open public issues for unpatched vulnerabilities.
- We aim to acknowledge reports quickly and coordinate responsible disclosure.

## Security Best Practices for Users

- Do not commit secrets, credentials, or private data.
- Use environment variables for sensitive configuration.
- Rotate any credential immediately if accidental exposure is suspected.
- Keep dependencies and runtime images updated.