Security Policy Reporting a Vulnerability Open a private GitHub Security Advisory: https://github.com/technophylax/ocpa/security/advisories/new Please include: description, impact, steps to reproduce, affected version/commit, suggested fix if known. We aim to acknowledge within 2 business days. Supported Versions Main branch; tagged releases. Expectations Do not test against production deployments you don’t own. Avoid exploiting beyond proof of concept; share logs/traces if safe. Out of Scope Social engineering, physical attacks, or issues requiring privileged local access outside OCPA. Pre-release checks Run a secret scan (gitleaks/trufflehog) on history before public releases; actions are wired to allow scans on demand.