# Security Policy

## Reporting a Vulnerability

If you discover a security vulnerability in this project, please report it responsibly.

**Do not open a public issue.** Instead:

1. Email: **[your-security-email@example.com]** (replace with your contact)

### What to include

- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

### Response timeline

- **Acknowledgment:** within 48 hours
- **Assessment:** within 7 days
- **Fix or mitigation:** depends on severity

## Security Practices

This project follows security best practices documented in:

- `docs/backend/security.md` — authentication, authorization, audit logging
- `docs/llm/safety.md` — LLM safety, prompt injection defense, privacy
- `RULES.md` — repository-wide security constraints
- `agents/security-auditor.md` — security review agent profile

## Scope

This policy applies to the codebase in this repository. Third-party dependencies are managed separately.