If you discover a security vulnerability in any baker-scripts project, please report it responsibly.

Do not open a public issue.

Instead, contact bakerboy448 on Discord with:

• A description of the vulnerability
• Steps to reproduce
• Affected repository and version/commit
• Any potential impact assessment

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Fix or mitigation: Varies by severity, typically within 30 days

This policy applies to all repositories in the baker-scripts organization.

• Vulnerabilities in upstream dependencies (report those upstream)
• Issues in forks or unofficial distributions
• Social engineering attacks

We follow coordinated disclosure. Please allow reasonable time for a fix before public disclosure.