# Security Policy

## Supported Versions
We provide security updates for the latest major release of duck-iam.
Older versions may not receive patches.

## Reporting a Vulnerability
**Please do not disclose security issues publicly.**
If you discover a vulnerability in duck-iam:

1. Report it privately by emailing: **security@gentleduck.com**
2. Include a detailed description of the vulnerability and how to reproduce it.
3. We will confirm receipt within **48 hours** and provide a timeline for a fix.

## Responsible Disclosure
We ask security researchers to give us **90 days** to address issues before public disclosure.
We will credit you in release notes unless you prefer to remain anonymous.

Thank you for helping keep duck-iam secure.