Please report suspected vulnerabilities privately to:

• security@hippocortex.dev

Include:

• Affected versions/commit
• Reproduction steps
• Potential impact
• Suggested mitigation (if known)

1. We acknowledge reports within 3 business days.
2. We validate and triage severity.
3. We prepare a fix and release notes.
4. We disclose once users have a reasonable patch window.

Please do not open public issues for unpatched vulnerabilities.