# Security Policy

## Supported scope

This repository contains the OSS desktop workspace and runtime stack.

We treat these classes of issues as security-sensitive:

- credential, token, or secret exposure
- remote code execution
- sandbox escape or privilege escalation
- auth bypass
- unsafe default configuration that exposes a local runtime or user data

## Reporting

Do not file public GitHub issues for security vulnerabilities.

Report vulnerabilities privately to:

- `admin@holaboss.ai`

Include:

- affected commit or release
- reproduction steps
- impact assessment
- any proposed mitigations if you have them

We will acknowledge receipt and triage privately.

## Disclosure

Please give us reasonable time to validate and fix issues before public disclosure.