This is an org-wide default. Any infraspecdev repo without its own SECURITY.md inherits this one.

Please do not report security vulnerabilities through public GitHub issues.

Instead, report them privately via one of:

• GitHub's private vulnerability reporting on the affected repository (Security tab → Report a vulnerability), or
• Email security@infraspec.dev with a description, reproduction steps, and impact.

Please include as much detail as possible so we can reproduce and triage quickly.

• Acknowledgement within 3 business days.
• A triage assessment and severity rating.
• Coordinated disclosure — we will agree on a timeline before any public disclosure.

Unless a repository states otherwise, only the latest released version receives security fixes.