The Lanka AI Foundation team and community take security issues seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

• Open a public GitHub issue describing the vulnerability.
• Discuss the vulnerability in public forums, social media, or chat channels until it is resolved.
• Test the vulnerability against systems you do not own or have explicit permission to test.

Report suspected security vulnerabilities privately through one of the following channels:

1. Preferred: Use GitHub's private vulnerability reporting on the affected repository (Security tab → Report a vulnerability).
2. Alternative: Email the maintainers directly — for now, contact @Luxshan2000 or @Sivasuthan9 via their GitHub-listed contacts. (A dedicated [email protected] address will be set up once we have a domain.)

To help us triage quickly, please include:

• A description of the vulnerability and its potential impact.
• Steps to reproduce, including any required configuration or sample inputs.
• Affected versions and platforms.
• Any suggested fix or mitigation, if you have one.
• Whether you'd like to be credited in the eventual advisory (and how).

• We will acknowledge receipt within 5 business days.
• We will provide an initial assessment within 10 business days.
• We will keep you informed as we work on a fix.
• We will credit you in the public advisory unless you ask us not to.
• We will not pursue legal action against researchers who follow this policy in good faith.

This policy covers all repositories under the lanka-ai-foundation organization. Vulnerabilities in third-party dependencies should generally be reported upstream first; tell us so we can track and patch our usage.

Thank you for helping keep LAIF and its community safe.