If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Email the details to the maintainer or use GitHub Security Advisories
3. Include steps to reproduce the vulnerability
4. Allow reasonable time for a fix before public disclosure

Security concerns relevant to Orbit include:

• Credential storage (deploy passwords stored via OS keyring)
• SSH/SFTP connection handling
• Local service management and privilege escalation
• File system access and path traversal
• MCP server command execution

We aim to acknowledge security reports within 48 hours and provide a fix or mitigation plan within 7 days.