Please do not open a public GitHub issue for an undisclosed security vulnerability. Use GitHub private vulnerability reporting in the Security tab of this project instead.

When reporting a vulnerability, include:

• the affected dmarc-msp version or commit
• the component involved (API, CLI, DNS provider, OpenSearch provisioning, etc.)
• clear reproduction details if available
• potential impact
• any suggested mitigation or workaround

Security fixes will be applied to the latest released version and the current main branch.

Older versions will not receive backported fixes.

After a report is received, maintainers will validate the issue, assess impact, and coordinate a fix before public disclosure.

Please avoid publishing proof-of-concept details until maintainers have had a reasonable opportunity to investigate and release a fix or mitigation.