• Reporting – Open a GitHub security advisory (preferred) or email [email protected] with “Security Vulnerability”; include description, URL/path, reproduction steps, impact, environment info, and optional fix.
• Response & Handling – Acknowledge within 3 days, assess in 7, verify, score severity (CVSS), develop/test fix, deploy to main, and disclose in SECURITY.md.
• Security Measures – Sanitized inputs, no persistent sensitive data, CSP headers, HTTPS enforced, dependency updates (Dependabot, manual review, pinned versions, npm audit).
• Practices & Tools – Input validation, output encoding, least privilege, secure headers, regular updates; recommended scans via Mozilla Observatory, Snyk, OWASP ZAP.

Security researchers who responsibly disclose vulnerabilities will be acknowledged here unless they prefer to remain anonymous.