Policy-Version: v1.0.0
Effective-Date: 2026-02-28
Owner: WTG Governance Team

Use GitHub Security Advisories for responsible disclosure:

• Private report path: repository Security tab -> Report a vulnerability.
• Do not disclose exploit details publicly before triage.

Security support applies to:

• Latest main release line.
• Most recent tagged public release.

Older snapshots may not receive security fixes.

Target response windows:

• Acknowledgement: within 72 hours.
• Initial triage: within 7 calendar days.
• Mitigation plan: as soon as reproducibility and impact are confirmed.

These targets are best-effort goals, not guaranteed contractual commitments.

If a report is out of scope or non-actionable, rationale will be documented in the advisory workflow.