If you discover a security vulnerability in this project, please report it responsibly.

Email: security@ansvar.eu

Include:

• A description of the vulnerability.
• Steps to reproduce the issue.
• The affected package(s) and version(s).

• We will acknowledge receipt within 2 business days.
• We aim to provide an initial assessment within 7 days.
• We will coordinate a fix and disclosure within 90 days of the initial report.
• If the issue is confirmed, we will credit the reporter in the release notes (unless anonymity is requested).

This policy covers the MCP server code and its dependencies. It does not cover the upstream agency websites that serve as data sources.

Only the latest release on the main branch receives security updates.