If you discover a security vulnerability in this project, please report it responsibly.

1. Do NOT create a public GitHub issue for security vulnerabilities
2. Email: rhodium-standard@proton.me
3. Or use GitHub's private vulnerability reporting if enabled

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (optional)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution Target: Within 30 days for critical issues

1. Acknowledgment of your report
2. Regular updates on progress
3. Credit in release notes (unless you prefer anonymity)
4. Coordinated disclosure timeline

• All GitHub Actions pinned to SHA hashes
• SPDX license headers on source files
• Dependency auditing via Scorecard

• HTTPS only for all external URLs
• No hardcoded secrets
• Automated secret scanning via TruffleHog

This security policy applies to:

• This repository and official releases
• Documentation

• Third-party forks or modifications
• Vulnerabilities in dependencies (report to respective maintainers)