# Security Policy

## Supported Versions

Only the current `main` branch is supported with security updates.

## Reporting a Vulnerability

**Do not use public GitHub issues to report security vulnerabilities.**

Instead, email **security@quicprochat.org** with:

- A description of the vulnerability
- Steps to reproduce or a proof of concept
- The affected component(s) and potential impact

We will acknowledge your report within **48 hours** and work with you on a fix under a **90-day coordinated disclosure** timeline.

## What Qualifies

- Cryptographic implementation bugs (MLS, Noise, hybrid KEM, key derivation)
- Authentication or authorization bypass
- Key material leakage (memory, logs, network)
- Protocol-level flaws (replay, downgrade, impersonation)
- Any issue that compromises message confidentiality or integrity

## Credit

Reporters are credited in published security advisories unless they prefer to remain anonymous. Let us know your preference when you report.