I take the security of this project seriously. If you believe you have found a security vulnerability, please use the GitHub Private Vulnerability Reporting feature.

1. Navigate to the Security tab of this repository.
2. Select Advisories from the left sidebar.
3. Click Report a vulnerability to open a private advisory.

Alternatively, you can reach out via the contact methods listed on landerox.com. Please do not use public issues for security vulnerabilities.

• I will acknowledge receipt of your report within 48 hours.
• I will provide an estimated timeframe for a fix within 7 days.
• I will notify you once the vulnerability is resolved.

For visibility into the security posture of this repository:

• Supply-chain audit (public): OpenSSF Scorecard runs weekly and on every push to main. SARIF results upload to GitHub code-scanning.
• Vulnerability advisories: GitHub Dependabot alerts cover the full dependency graph (including transitive deps from uv.lock).
• Python dependency audit: pip-audit runs in CI on push and daily at 08:00 UTC, scoped to declared deps via uv export.
• Secrets detection: gitleaks runs on pre-commit with 160+ provider rules (cloud keys, SaaS tokens, fine-grained PATs). False positives are tracked in .gitleaksignore at repo root.
• Workflow security: zizmor enforces a hash-pin policy on pre-commit. All third-party Actions are pinned to commit SHA.

See docs/decisions.md for the full rationale (§§ 7, 9, 11, 12, 15).