Please report security issues privately — do not open a public issue.
- Preferred: GitHub private vulnerability reporting — https://github.com/GOATnote-Inc/safeshift/security/advisories/new
- We aim to acknowledge within 5 business days and to agree a remediation timeline after triage. Please allow a reasonable window before any public disclosure.
Research repository; security fixes land on the default branch (main).
- GitHub Actions are pinned to full commit SHAs and updated via Dependabot.
- Dependencies are monitored via Dependabot; the Socket GitHub App is recommended for malicious-package detection.