If you discover a security vulnerability in GLX, please report it responsibly:

1. Do not open a public GitHub issue for security vulnerabilities
2. Report via GitHub Security Advisories
3. Include a description of the vulnerability, steps to reproduce, and potential impact

• Acknowledgment within 48 hours of your report
• Assessment within 1 week — we'll confirm the vulnerability and its severity
• Fix timeline depends on severity:
  • Critical: patch release within 72 hours
  • High: patch release within 1 week
  • Medium/Low: included in next scheduled release

• govulncheck runs in CI on pushes to main, pull requests, and weekly to detect known vulnerabilities in dependencies
• gosec performs static security analysis on pushes to main, pull requests, and weekly
• Weekly scheduled scans catch newly disclosed vulnerabilities in existing dependencies

This policy covers the GLX CLI tool and the go-glx library. GLX archives are YAML files processed locally — there is no network-facing attack surface in normal usage.