UrbanTree Corp is committed to ensuring the integrity and privacy of bio-civic data. This document outlines our security philosophy and vulnerability reporting process.

Only the latest stable release receives security updates.

All contributions to the authentication module must adhere to the following standards:

1. Zero-Trust Architecture: Never trust client-side validation alone. Always verify tokens against the backend/database.
2. Secret Isolation: TOTP secrets must never be exposed to the client-side logs or error messages.
3. Session Management: The InactivityGuard component must wrap all protected routes to enforce the 20-second idle timeout rule.

If you discover a security vulnerability within the UrbanTree Platform, please do not disclose it publicly.

1. Email the engineering security team at security.utcugc@tuta.io.
2. Include a detailed description of the exploit and steps to reproduce.
3. Our team will acknowledge receipt within 48 hours.