# Security Policy
## Reporting Security Issues
**DO NOT** open public issues for security vulnerabilities.
If you discover a security vulnerability, please email with details instead of using the issue tracker.
## Credential Safety
This project handles sensitive credentials:
- ✅ **Never** commit `.env` files to GitHub
- ✅ **Always** use `.env.local` for personal credentials
- ✅ **Store** credentials in environment variables or secure vaults
- ✅ **Rotate** tokens regularly in Google Cloud Console
- ✅ **Revoke** exposed tokens immediately if compromised
## Best Practices
1. Use restricted service accounts when possible
2. Limit API scopes to necessary permissions
3. Use short-lived refresh tokens
4. Enable 2FA on Google Cloud account
5. Audit API activity regularly
## Vulnerability Disclosure
If you find a vulnerability, thank you for responsible disclosure. Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)