If you discover a security vulnerability, please report it via:

1. GitHub Security Advisories — https://github.com/ykstorm/anchor/security/advisories/new
2. Email — (include "SECURITY" in the subject line)

Please do not disclose security issues publicly until a fix is available.

• Acknowledgment: within 48 hours
• Initial assessment: within 7 days
• Fix timeline: varies by severity

For critical vulnerabilities, please consider encrypted communication.