# Security Policy

## Supported Versions

Security fixes are applied to the latest supported release line and the active development branch.

| Branch / channel | Status |
| --- | --- |
| `main` / `@latest` | Supported |
| `dev` / `@dev` | Supported |
| Older releases | Best effort only |

## Report A Vulnerability

Do not open public GitHub issues for suspected security vulnerabilities.

Use GitHub Private Vulnerability Reporting instead:

- https://github.com/kaitranntt/ccs/security/advisories/new

Include:

- A short description of the issue
- Affected version, branch, or install method
- Reproduction steps or proof of concept
- Impact assessment if you have one

Please avoid posting tokens, cookies, private configs, or exploit details in public issues, discussions, or screenshots.

## What To Expect

- Initial acknowledgement target: within 3 business days
- Triage and severity assessment after reproduction
- A coordinated fix and release when the report is confirmed

If you already opened a public issue by mistake, edit it down to a minimal note and ask for a private reporting path instead of posting more detail.