Thanks for helping keep Goalrail and its users safe.

Until the project publishes stable releases, the main branch is the only supported line for security fixes.

When versioned releases begin, this policy should be updated to show which release lines receive security patches.

Please do not open a public GitHub issue for a suspected security problem.

Instead, report vulnerabilities privately to:

• hello@goalrail.dev

Please include, when possible:

• a clear description of the issue;
• affected paths, components, or deployment assumptions;
• reproduction steps or proof of concept;
• impact assessment;
• any suggested remediation.

We will make a good-faith effort to:

• acknowledge receipt within 3 business days;
• investigate and assess severity;
• coordinate a fix and disclosure approach with the reporter where appropriate.

Please avoid public disclosure until maintainers have had a reasonable chance to investigate and prepare a fix or mitigation.

This file is not a bug bounty program and does not create any right to compensation.