# Security Policy

## Supported versions

Only the latest published `@1agh/maude` release on npm receives fixes. Pin upgrades to the most recent minor before reporting.

## Reporting a vulnerability

Email **m.dovrtel@gmail.com** with:

- A short description.
- Affected version (`maude --version` or `package.json`).
- Reproduction steps or the relevant snippet.

**Please do not open a public GitHub issue for security reports.** A private GitHub Security Advisory is also acceptable: <https://github.com/1aGh/maude/security/advisories/new>.

## Response

- Acknowledgement: within 5 business days.
- Fix or mitigation plan: within 30 days for confirmed issues.
- Coordinated disclosure preferred — credit given in the release notes unless you prefer to stay anonymous.