Please do NOT open a public GitHub issue for security vulnerabilities.

To report a security vulnerability:

1. Email: security@secure-ref.dev (or create a private GitHub advisory)
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (optional)

Response SLA:

• Acknowledgement: within 24 hours
• Fix timeline: within 72 hours for critical, 7 days for high

• Keep secure-ref updated to the latest version
• Run npm audit regularly in your project
• Enable npm provenance verification
• Never disable security headers without understanding the risk (see secureRef.reference())

• ✅ Zero runtime dependencies (eliminates supply chain risk)
• ✅ npm audit clean on every release
• ✅ 2FA enabled on npm publish account
• ✅ Signed commits (GPG)
• ✅ npm provenance attestation
• ✅ OWASP Top 10:2025 aligned

We follow responsible disclosure. Fixes will be released within the stated SLA, followed by a public advisory post-fix.