We take security seriously and appreciate reports from the community.

• Please email: security@keyloom.dev
• Include a detailed description, reproduction steps, and impacted versions
• You should receive an acknowledgement within 72 hours
• We aim to provide a fix or mitigation timeline and coordinated disclosure plan

• All packages in this repository (@keyloom/*)
• Authentication flows, crypto primitives, adapters, and server routes

• Do not create public GitHub issues for security reports
• Do not test against production systems without permission

We generally patch the latest minor versions of maintained packages. Older, unmaintained versions may receive best-effort advisories only.

• We will work with you on a reasonable disclosure timeline
• Credit is given in release notes (optional)

We will not pursue legal action for good-faith research and disclosure that follows this policy and avoids privacy violations, data exfiltration, or service disruption.