# Security Policy

## Reporting a Vulnerability

If you discover a security vulnerability in Mercur, **please report it privately** — do not open a public GitHub issue.

**Email:** [hello@rigbyjs.com](mailto:hello@rigbyjs.com)

### What to Include

- Description of the vulnerability
- Steps to reproduce (or proof of concept)
- Affected components or modules
- Potential impact and severity estimate
- Suggested fix (if you have one)

### What to Expect

We will keep you informed throughout the process and credit you in the release notes (unless you prefer to remain anonymous).

### Safe Harbor

We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:

- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
- Report vulnerabilities privately through the channel above
- Allow reasonable time for a fix before any public disclosure

### Supported Versions

Security fixes are applied to the latest release. We do not backport fixes to older versions unless the vulnerability is critical and the version is widely deployed.