If you discover a security vulnerability in Wallow, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email BC@bcordes.dev with:

• A description of the vulnerability
• Steps to reproduce the issue
• Any relevant logs, screenshots, or proof-of-concept code
• The affected version(s)

• Acknowledgment: You will receive a response within 48 hours confirming receipt of your report.
• Updates: You can expect status updates at least every 7 days until the issue is resolved.
• Resolution: If the vulnerability is accepted, a fix will be developed and released as a patch. You will be credited in the release notes unless you prefer to remain anonymous.
• Declined reports: If the reported issue is not considered a vulnerability, you will receive an explanation of why it was declined.

We follow coordinated disclosure. Please allow us a reasonable timeframe to address the vulnerability before disclosing it publicly. We aim to release patches within 30 days of a confirmed vulnerability.