For Shroud's full security policy, threat model, and vulnerability reporting instructions, see docs/SECURITY.md.
Do not open a public issue for security vulnerabilities.
Use GitHub's Security Advisories to report vulnerabilities privately, or contact the maintainer (loujr) directly through GitHub.
| Step | Target |
|---|---|
| Acknowledge receipt | 72 hours |
| Initial assessment | 1 week |
| Fix or mitigation plan | 2 weeks |
| Public disclosure | After fix is available |