# Security Policy

## Reporting a Vulnerability

If you discover a security issue, please report it **privately**.

Email: rrosado6@gatech.edu
Subject: SECURITY: <short description>

Include:
- Description of the issue and impact
- Steps to reproduce (POC if available)
- Affected components
- Screenshots or logs (if helpful)

Do not open public issues for security vulnerabilities.

## Response Timeline

- Acknowledgement within 2 business days  
- Triage and severity assessment within 5 business days  
- Fix or mitigation as soon as practical based on severity  

## Responsible Disclosure

We support responsible security research conducted in good faith.  
Please avoid service disruption, data exfiltration beyond proof-of-concept, or privacy violations.

Public disclosure should occur only after a fix or mitigation is available.

## Security Expectations

- Enforce server-side authorization (RBAC)
- Protect sensitive data in transit (TLS)
- Log and audit critical actions
- Review code before merging