We only provide security fixes for the latest release.

If you discover a security vulnerability, please report it responsibly. Do not open a public GitHub issue.

Email security@zosma.ai with:

• A description of the vulnerability
• Steps to reproduce
• Any relevant logs or screenshots
• Your suggested severity (critical, high, medium, low)

We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days.

• We follow coordinated disclosure. We ask that you give us a reasonable window (typically 90 days) to address the issue before public disclosure.
• Once a fix is released, we will publish a security advisory on GitHub.
• Credit will be given to reporters unless they prefer to remain anonymous.

This policy applies to the zosma-qa repository and any officially maintained packages within this monorepo. Third-party dependencies are outside our direct scope, but we will work to address transitive vulnerabilities promptly.