Use this section to tell people about which versions of your project are currently being supported with security updates.

If you believe you've found a security vulnerability in this project, please report it privately so we can investigate and remediate it before public disclosure. We provide the following reporting channels and commitments to ensure timely handling and clear expectations.

• Designated contact (preferred order):

  • Open a private Security Advisory on GitHub for this repository: go to "Security" → "Advisories" → "Create new draft advisory" and follow the prompts. This lets us track the issue privately and (optionally) request a CVE.
  • Email: security@profiletailors.com (you may send a GPG‑encrypted message if you prefer).

• What to include in your report:

  • Affected version(s) or commit SHAs.
  • A clear description of the vulnerability and its security impact.
  • Reproduction steps and a minimal proof‑of‑concept (PoC), if available.
  • Any relevant logs, configurations, or environment details.
  • Whether you request a CVE and your preferred contact method.
  • Whether you are reporting as an individual or on behalf of an organization, and any disclosure preferences.

• Response commitments (SLAs):

  • Acknowledgement: within 48 hours of receiving your report (business days).
  • Initial triage: within 7 calendar days with a summary of the triage result and an estimated remediation plan or mitigation steps.
  • Status updates: for critical/urgent issues we will provide updates at least every 72 hours; for other issues we will provide updates at least weekly until resolved, or more frequently if agreed with the reporter.

• Disclosure process and timeline:

  • We will coordinate disclosure with the reporter and aim to publish a public advisory once a fix is available and users can upgrade safely.
  • Typical responsible disclosure window is 90 days from initial report; we may extend this window for complex fixes if both parties agree.
  • If coordination with the reporter is not possible, we reserve the right to disclose the issue after the disclosure window while trying to minimize user impact.
  • CVE assignment: we will request CVEs when appropriate.
  • Bounties: we do not operate a formal vulnerability bounty program at this time; however, we may consider discretionary rewards on a case‑by‑case basis. Contact security@profiletailors.com to discuss.

• Confidentiality and safe harbor:

  • Please avoid public disclosure (including posting PoCs) until a fix is available or disclosure is coordinated with project maintainers.
  • We appreciate responsible research and will not pursue legal action against good‑faith security researchers who follow these guidelines.

If you need faster handling for an active exploit or very high‑severity incident, please mark the report as high severity and include the best way to contact you securely in the report.