If you believe you have found a security issue in Forge, please report it privately instead of opening a public issue first.

Email: sham@usmi.ai

Please include:

• a clear description of the issue
• affected versions or commit ranges
• reproduction steps or proof of concept if available
• any suggested mitigation if you have one

We will aim to:

• acknowledge receipt promptly
• validate the issue
• coordinate a fix and disclosure plan when appropriate

Please avoid publicly disclosing the issue until there is a coordinated response.

Forge incident records should be sanitized by default. Do not store raw customer data, regulated personal data, credentials, or training/eval source material in Forge incidents, playbooks, or analysis outputs.

For Proofhouse Operational Learning issues, record pointers and summaries only. Governance remains the authoritative plane for rights posture, redaction review, use approvals, export eligibility, manifests, and audit evidence.