# Security Policy

## Supported Versions

Security fixes are handled on the default branch and the latest tagged release
line.

## Reporting A Vulnerability

Please do not report suspected vulnerabilities through public GitHub issues.

Use GitHub private vulnerability reporting for this repository:

https://github.com/arancormonk/mbelib-neo/security/advisories/new

If you need to coordinate before filing, use a draft GitHub Security Advisory. Include:

- affected commit, tag, or release
- platform and build configuration
- reproduction steps or proof of concept
- expected impact
- whether the issue may expose credentials, keys, captures, or user data

The maintainer will acknowledge valid reports through the private GitHub security channel and coordinate disclosure there.

## Response Process

The maintainer will:

1. Acknowledge valid vulnerability reports within 14 days.
2. Triage impact, affected versions, exploitability, and available mitigations.
3. Develop fixes privately when public disclosure would increase user risk.
4. Coordinate disclosure timing with the reporter when practical.
5. Publish a fixed release, advisory, or release note for confirmed
   vulnerabilities.
6. Credit reporters unless anonymity is requested.

Reports that cannot be reproduced or do not affect mbelib-neo will be closed
with an explanation when possible.

## Public Vulnerability Information

Confirmed vulnerabilities are published through GitHub Security Advisories,
release notes, or both. Public entries should include affected versions,
mitigation or upgrade guidance, and reporter credit unless anonymity is
requested.

## Handling Sensitive Artifacts

Do not attach private captures, credentials, radio keys, or machine-specific configuration to public issues or pull requests. Redact or synthesize test data before sharing it publicly.