If you discover a security vulnerability in Sputnik, please report it responsibly.

Do not open a public issue.

Instead, please email marcel@refs.media with:

• A description of the vulnerability
• Steps to reproduce
• Expected vs actual behavior
• Any relevant logs or screenshots

You will receive an acknowledgment within 48 hours. We aim to provide a fix or mitigation within 7 days of confirmation.

This policy covers the Sputnik CLI tool and its PHAR distribution. It does not cover user-defined tasks or configurations.