If you discover a security vulnerability in sum, please report it responsibly.

Do not open a public issue for security vulnerabilities.

Instead, please email security concerns to the maintainers or use GitHub's private vulnerability reporting feature.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial response: within 48 hours
• Status update: within 7 days
• Resolution target: within 30 days (depending on severity)