# SECURITY.md
## Scope
This repository contains code published as-is. Security handling is best-effort.
## What counts as a security issue
A security issue is a concrete vulnerability in this project that crosses a real trust boundary, such as unintended access, data exposure, integrity compromise, or privilege escalation caused by this code itself.
Bugs are not automatically security vulnerabilities. Incorrect usage, unsafe composition, missing hardening features, and design preferences are usually not security issues.
If you’re reporting something subtle, include a threat model and a concrete impact. Reports without impact may be declined.
## How to report
Preferred: use GitHub Security Advisories for this repository (Security tab, “Report a vulnerability”) if enabled.
Otherwise: email the contact listed in the repository metadata or maintainer profile.
## Expectations
There are no guaranteed response times. There is no bug bounty. Severity and prioritization are determined by the maintainer.
Silence does not imply confirmation, rejection, or urgency.
## Disclosure
Any decision to patch, document, disclose, or request a CVE is made at the maintainer’s discretion. No commitments are made regarding advisories, coordinated disclosure, or timelines.
## Liability
This software is provided as-is, without warranty of any kind. Use in security-sensitive contexts is entirely at your own risk.
