If you discover a security vulnerability in this project:

1. Do not create a public GitHub issue
2. Report via one of the following:
   • Preferred: GitHub Security Advisories (report privately)
   • Alternative: security@itential.com
3. Include in your report:
   • Description of the vulnerability
   • Steps to reproduce
   • Affected versions
   • Impact assessment
   • Suggested fix (if any)

We will acknowledge your report within 48 hours and provide regular updates on our progress toward a fix. We follow coordinated disclosure practices.

• Credentials: Never hardcode secrets, API keys, or passwords. Use environment variables or a secrets manager.
• Dependencies: Keep dependencies up to date. Run security scans regularly and monitor advisories.
• Input validation: Validate and sanitize all external input at system boundaries.
• Error handling: Sanitize error messages before exposing them. Avoid logging sensitive data.
• TLS: Always use HTTPS in production environments.
• Access control: Follow the principle of least privilege for all credentials and permissions.