Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in this project, please report it responsibly:

1. Email: Send a detailed report to security@firstlinesoftware.com
2. Subject line: [SECURITY] Jaime — <brief description>
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

This project is maintained on a best-effort basis by First Line Software. We will make reasonable efforts to:

• Acknowledge your report within 5 business days
• Provide an initial assessment within 10 business days
• Release a fix for confirmed critical vulnerabilities as soon as reasonably possible

These timelines are goals, not guarantees. As an open-source project provided "as is" under the Apache 2.0 license, we do not offer an SLA for security response.

• We ask that you give us reasonable time to address the vulnerability before public disclosure.
• We will coordinate with you on the timing of any public announcement.
• We will credit you in the security advisory (unless you prefer to remain anonymous).

This policy applies to the code in this repository. It does not cover:

• Third-party dependencies (please report to the respective maintainers)
• Infrastructure or services not part of this repository