Do not report security vulnerabilities through public GitHub issues.

Instead, please report them via:

1. Email: security@hyperpolymath.org (preferred)
2. GitHub Security Advisories: Create a private advisory

• Type of vulnerability (injection, deserialization, etc.)
• Full path to affected source file(s)
• Step-by-step instructions to reproduce
• Proof-of-concept or exploit code (if available)
• Impact assessment

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Resolution target: Within 90 days (may vary based on severity)

We consider security research conducted in accordance with this policy to be:

• Authorized
• Lawful
• Helpful

We will not pursue legal action against researchers who follow this policy.

This project implements:

• Dependabot alerts enabled
• CodeQL static analysis
• OpenSSF Scorecard compliance
• Signed commits required
• Branch protection enabled
• Zero runtime dependencies beyond Elixir standard library

The A2ML parser processes untrusted input. While the Elixir implementation benefits from BEAM VM memory safety:

1. Parser input may contain maliciously crafted documents
2. Directive evaluation does not execute arbitrary code
3. Trust level assertions are metadata only — they do not provide cryptographic guarantees without external verification

Report issues in any layer — we take all security concerns seriously.