Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Use one of the private channels instead:

1. GitHub Security Advisory (preferred). Open a private advisory. This creates a private thread visible only to you and the Synheart maintainers.

2. Email. Send details to security@synheart.ai. Encrypt sensitive content if possible.

Please include:

• A description of the vulnerability and its impact.
• Steps to reproduce, or a proof-of-concept.
• Affected versions, if known.
• Your contact information for follow-up.

• We aim to acknowledge new reports within 3 business days.
• We will keep you informed as we investigate and develop a fix.
• We will coordinate disclosure with you. Please do not publish details until a fix is released.
• We credit reporters in the release notes unless you prefer to remain anonymous.

This policy covers the syni Flutter SDK published from this repository, including its on-device inference runtime, agent layer, and bundled persona assets. Issues in unrelated dependencies should be reported upstream to their maintainers.

• Vulnerabilities requiring physical access to an unlocked device.
• Reports generated solely from automated scanners without a working proof-of-concept.
• Issues in example/demo code clearly marked as non-production.
• Model outputs (hallucinations, jailbreaks, prompt-injection in user content). For persona-spec or safety-rail bypasses, please email security@synheart.ai with the persona id and reproducer (the spec itself is maintained separately from this SDK).