Please report suspected vulnerabilities privately by emailing security@harnesslabs.dev.

Include:

• affected version(s)
• reproduction steps or proof of concept
• impact assessment
• suggested remediation if available

Do not open a public issue for undisclosed vulnerabilities.

• Initial triage response: within 3 business days
• Status update cadence: at least weekly while actively investigating
• Public disclosure: coordinated after a fix or mitigation is available

During 0.x beta, only the latest tagged release receives security fixes.