We take security seriously. If you discover a security vulnerability in DevPulse, please report it responsibly.

Please do NOT open a public GitHub issue for security vulnerabilities.

1. GitHub Private Vulnerability Reporting (preferred): Use GitHub's private vulnerability reporting to submit a report directly through the repository.

2. Email: If private vulnerability reporting is unavailable, contact the maintainers through the email listed in the repository profile.

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours of your report
• Initial assessment: Within 5 business days
• Resolution timeline: We aim to release a fix within 30 days for critical issues

The following are in scope for security reports:

• Authentication and authorization bypasses
• SQL injection or other injection vulnerabilities
• Cross-site scripting (XSS)
• Sensitive data exposure
• Server-side request forgery (SSRF)
• Dependency vulnerabilities with a known exploit

• Issues in third-party dependencies without a proof of concept against DevPulse
• Social engineering attacks
• Denial of service attacks
• Issues requiring physical access

For guidance on DevPulse's security architecture, headers, rate limiting, and deployment hardening, see docs/security.md.

We appreciate responsible disclosure and will acknowledge security researchers in our release notes (unless you prefer to remain anonymous).