Please do NOT report security vulnerabilities through public GitHub issues.

1. Navigate to the Security tab of this repository
2. Click "Report a vulnerability"
3. Fill out the advisory form with:
   • Detailed description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if known)

We will respond within 48 hours and provide regular updates on the status.

If you prefer email, send reports to: security@vibecoding.labs (replace with your actual email)

Include:

• Vulnerability description
• Reproduction steps
• Impact assessment
• Your contact information (for follow-up)

1. Acknowledgment: Within 48 hours
2. Triage: 1-3 business days
3. Fix Development: Based on severity
   • Critical: 1-7 days
   • High: 7-14 days
   • Medium: 14-30 days
   • Low: 30-90 days
4. Release: Security patch + advisory published
5. Disclosure: 90 days after fix (or sooner if agreed)

When using this template:

• ✅ Always use .env files for secrets (never commit)
• ✅ Enable Dependabot alerts
• ✅ Use GitHub secret scanning
• ✅ Keep dependencies updated
• ✅ Follow principle of least privilege
• ✅ Review CODEOWNERS carefully

We currently do not offer a bug bounty program, but we deeply appreciate responsible disclosure and will credit researchers in our security advisories (with permission).

None yet. This section will list historical vulnerabilities and their CVE IDs.

Last Updated: 2026-03-05
Contact: security@vibecoding.labs