If you discover a security vulnerability in Windshift Core, please report it responsibly. Do not open a public GitHub issue.

Instead, please email security@windshift.ch with:

• A description of the vulnerability
• Steps to reproduce the issue
• Any potential impact you've identified

We will acknowledge your report within 48 hours and aim to provide a fix or mitigation plan within 7 days depending on severity.

Security updates are provided for the latest release only.

This policy applies to the Windshift Core codebase. Third-party dependencies are outside scope, though we appreciate reports if you find a vulnerability in a dependency we use.

We appreciate the security research community's efforts to improve our software. Contributors who report valid vulnerabilities will be credited in release notes (unless they prefer to remain anonymous).