We take the security of alloy-py seriously and appreciate responsible disclosures.

• Prefer GitHub Private Vulnerability Reporting: go to the repo and click “Report a vulnerability”.
• Alternatively email: george@lydakis.me
• Please include detailed reproduction steps, affected versions, and impact.
• Do not open public issues for vulnerabilities.

• Actively supported: the latest released minor series (e.g., 0.1.x)
• Older releases: best effort only for critical issues.

• Acknowledgement: within 3 business days
• Triage & initial assessment: within 7 days
• Fix for high/critical: target 30 days (or coordinated disclosure date)

We follow coordinated disclosure. Once a fix is available, we will publish a security advisory with credits.

If you need encryption, mention it in your report and we will coordinate a key exchange.