Security updates are applied to the active release line when practical.

Please do not open a public GitHub issue for undisclosed security vulnerabilities.

Instead, use one of the following:

1. GitHub private vulnerability reporting (preferred if enabled for this repository): open the repository on GitHub and use Security → Report a vulnerability (wording may vary by UI).

2. If private reporting is not available, contact the repository maintainers through an appropriate private channel and ask that the message be routed to frappe_mobile_control maintainers.

To help us assess and fix issues quickly, include when possible:

• A short description of the vulnerability and its impact
• Steps to reproduce, or proof-of-concept, if safe to share
• Affected versions or commit, if known
• Your suggestion for a fix (optional)

• You should receive an acknowledgment after the report is triaged (timeframes depend on maintainer availability).
• We may ask follow-up questions or request a coordinated release timeline.

This policy applies to the mobile_control app in this repository. Server-side issues in other apps should follow their own security policies (if available).

We support responsible disclosure. If you make a good-faith effort to avoid privacy violations, destruction of data, or interruption of services, and give us reasonable time to address the issue before public disclosure, we will not pursue legal action against you for research related to this policy.