If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue.
2. Email heznpc@gmail.com or use GitHub Security Advisories.
3. Include steps to reproduce, impact assessment, and suggested fix if possible.

We will respond within 48 hours and work with you to resolve the issue.

This template includes automated security checks in CI:

• Dependency audit — npm audit on every push (HIGH/CRITICAL threshold)
• Secret leak detection — gitleaks scans every commit
• Dependency updates — Dependabot monitors for vulnerable dependencies

• Never commit .env files or secrets — they are gitignored by default
• Use GitHub Secrets for deployment credentials
• Keep dependencies up to date by merging Dependabot PRs
• Command injection — Never pass user message content to child_process.exec() or eval(). If your bot runs shell commands, use execFile() with explicit argument arrays and validate all inputs against an allowlist.