We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do not open a public GitHub issue for security vulnerabilities
2. Email your findings to the project maintainers
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Assessment: We will assess the vulnerability and determine its severity
• Updates: We will keep you informed of our progress
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Credit: We will credit reporters in our release notes (unless you prefer anonymity)

When contributing to this project:

• Never commit secrets, API keys, or credentials
• Keep dependencies up to date
• Follow secure coding practices
• Validate all user inputs
• Use parameterized queries for database operations

This security policy applies to:

• The Spec Builder backend (Go)
• The Spec Builder frontend (React)
• Configuration files and documentation

Third-party dependencies are managed by their respective maintainers.