Security Policy Report vulnerabilities privately to security@bobbinry.com. Do not open public issues for security reports. We aim to acknowledge within 72h and fix within 90 days depending on severity. Scope Core shell, SDK, compiler, and first-party bobbins. Hosted deployments run by the Bobbinry team (if applicable). Hallmarks Default-deny external access for bobbins. Sandboxed novel views (iframes + strict CSP). Egress proxy with allowlist for external calls.