If you discover a security vulnerability in Vel, please report it responsibly.

Email: security@example.com

Do not open a public GitHub issue for security vulnerabilities.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• 48 hours — acknowledgment of your report
• 7 days — initial assessment and severity classification
• 90 days — coordinated disclosure window

This policy covers the Vel framework code itself:

• Core framework (vel binary, build system, runtime)
• Official panels and contracts
• Authentication and middleware modules

Out of scope: Applications built on Vel, third-party plugins, or deployment configurations.

We follow 90-day coordinated disclosure. After 90 days, or once a fix is released (whichever comes first), the vulnerability may be publicly disclosed.

We credit reporters unless they prefer to remain anonymous.