⚠️ IMPORTANT: Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security issues via:

• Email: security@cxforge.io (PGP key available upon request)
• GitHub Private Vulnerability Reporting: Enabled on all repositories

1. Acknowledgment — We'll confirm receipt
2. Investigation — We'll assess the severity and impact
3. Fix Development — We'll develop and test a fix
4. Disclosure — We'll coordinate public disclosure after fix is deployed

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact assessment
• Suggested fix (if you have one)
• Your name/handle for attribution (optional)

This security policy applies to:

• All repositories under github.com/cxforge
• Production infrastructure at cxforge.io domains
• Container images and artifacts published by this organization

The following are generally NOT considered vulnerabilities:

• Missing security headers on static assets
• Self-XSS (XSS that requires user to attack themselves)
• Social engineering attacks
• Physical security issues

We believe in responsible disclosure and will publicly acknowledge reporters who:

• Follow this disclosure policy
• Provide clear, actionable reports
• Allow reasonable time for fixes before public disclosure