Please do not open a public GitHub issue for security vulnerabilities.

Instead, report vulnerabilities privately using one of the following methods:

1. GitHub Private Vulnerability Reporting: Use the Security Advisories page to submit a private report directly on GitHub.
2. Email: Send details to scott@ScottsSecondAct.com.

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Potential impact

• Acknowledgment within 72 hours of your report
• Status update within 7 days with an initial assessment
• Resolution timeline communicated once the issue is confirmed
• Credit in the release notes (unless you prefer to remain anonymous)

As a Go policy enforcement and compliance library, relevant security concerns include:

• Logic flaws that cause deny-wins or fail-closed semantics to be bypassed
• Incorrect policy evaluation leading to unauthorized access grants
• Unsafe handling of untrusted input passed to policy or compliance rule functions
• Goroutine safety issues if the engine is used concurrently

• Issues requiring physical access to the machine
• Social engineering
• Vulnerabilities in dependencies with existing upstream fixes (please check first)