MillWorks.AuditCore is an audit and compliance library. Security is foundational to this project, and we take all vulnerability reports seriously.

Please do not report security vulnerabilities through public GitHub issues.

Instead, email security@millworks.dev with the following details:

• A description of the vulnerability
• Steps to reproduce the issue
• The potential impact
• Any suggested remediation (if applicable)

• 48 hours -- We will acknowledge receipt of your report.
• 7 days -- We will provide an initial assessment, including severity classification and planned next steps.
• 30 days -- We aim to release a fix for confirmed vulnerabilities, depending on complexity.

• We follow coordinated disclosure. We ask that you do not publicly disclose the vulnerability until a fix has been released.
• Once a fix is available, we will publish a security advisory through GitHub and credit the reporter (unless anonymity is requested).

We are happy to credit security researchers who report valid vulnerabilities. Let us know in your report how you would like to be credited.

This policy applies to the MillWorks.AuditCore library itself. Issues in third-party dependencies should be reported to the respective maintainers, though we appreciate being notified so we can assess downstream impact.