We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do not open a public GitHub issue for security vulnerabilities
2. Email security concerns to the maintainers privately
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment of your report within 48 hours
• Regular updates on the progress of addressing the issue
• Credit in the security advisory (unless you prefer to remain anonymous)

This security policy applies to:

• The Waremax simulation engine and CLI
• Official configuration schemas
• Dependencies managed by this project

Out of scope:

• Third-party integrations not maintained by this project
• Issues in upstream dependencies (please report those to the respective projects)

When using Waremax:

• Keep your installation up to date
• Validate configuration files before running simulations
• Be cautious when running scenarios from untrusted sources
• Review output directories to avoid overwriting important files

We follow coordinated disclosure:

1. Reporter submits vulnerability privately
2. We investigate and develop a fix
3. Fix is released with a security advisory
4. Public disclosure after users have had time to update