I take the security of our software seriously. I appreciate your efforts to responsibly disclose your findings, and I will make every effort to acknowledge your contributions.

If you believe you have found a security vulnerability in Codesprout, please report it to us as soon as possible. I ask that you do not disclose the vulnerability publicly until I have had a chance to address it.

Please report vulnerabilities via one of the following methods:

• Email: Send an email to [dark@nightconcept.net](mailto:dark@nightconcept.net) with a detailed description of the vulnerability, steps to reproduce it, and any potential impact.

I aim to acknowledge receipt of your vulnerability report within 3 business days.

Our goal is to address and fix any reported security vulnerability in a timely manner. Here is our general process:

1. Confirmation: I will confirm the vulnerability and determine its impact. I may contact you for more information during this phase. This typically takes up to 7 days.
2. Remediation: Our team will work on a fix for the vulnerability. The timeline for this can vary depending on the complexity of the vulnerability, but I aim to have a patch ready within 30 days of confirmation. For more complex issues, this might extend up to 90 days.
3. Disclosure: Once the vulnerability is fixed and a new version is released, I will make a public disclosure. This disclosure will typically include a description of the vulnerability and credit to the reporter, unless you request to remain anonymous. I believe in transparent disclosure practices.

I are committed to a coordinated vulnerability disclosure process. I expect to work closely with the reporter throughout the lifecycle of the vulnerability.

This policy applies to the latest stable version of solivan-dev. If you are using an older version, please consider upgrading before reporting a vulnerability, as it may have already been addressed.

The following are generally considered out of scope for our vulnerability disclosure program:

• Denial of service attacks that require significant volumetric resources.
• Social engineering or phishing attacks.
• Vulnerabilities in third-party dependencies (please report those to the respective projects, though I appreciate a heads-up if it impacts solivan-dev).

Thank you for helping keep solivan-dev secure. Your efforts in responsible disclosure are highly valued.