Report suspected vulnerabilities privately to security@trustsignal.dev.

Include:

• a clear description of the issue
• reproduction steps
• affected versions or commit references
• impact assessment if known

Do not open public GitHub issues for suspected security vulnerabilities.

• Do not include secrets, API keys, tokens, customer data, or private receipts in reports.
• Sanitize logs, payloads, and screenshots before sharing them.

TrustSignal reviews reports as quickly as possible, validates impact, and coordinates remediation and disclosure timing with reporters when appropriate.