Email support@meshpilot.app with the subject line [security] ai-seo-agent: <short summary>.

Please do not open a public issue for security reports. We aim to acknowledge within 72 hours.

This policy covers the open-source code in this repository. Out of scope:

• Vulnerabilities in upstream dependencies (report to the vendor first).
• Vulnerabilities in the third-party APIs we integrate with — report to those vendors directly.
• Configuration mistakes in your own deployment.

The main branch is supported. Older tags receive security backports only when the fix is trivial.

Standard flow: report → acknowledge → fix in private → release → public advisory. Researchers are credited in the advisory unless they prefer anonymity.