We appreciate responsible disclosures that help keep the Lattice Simulator and the wider GridPlus ecosystem safe. Please follow the guidelines below when reporting security issues.

Security fixes are applied to the main branch and the latest tagged release. Older releases may not be patched retroactively.

1. Do not open a public GitHub issue for security reports.
2. Email a detailed report (steps to reproduce, impact, affected components, and suggested mitigations if known) to security@gridplus.io.
3. Encrypt sensitive details if needed; we can coordinate PGP keys after initial contact.

We aim to acknowledge new reports within 3 business days. Please allow adequate time for investigation and remediation before any public disclosure.

• Give the maintainers a reasonable window to fix the issue before sharing it publicly.
• Avoid exploiting the vulnerability beyond what’s necessary to demonstrate the impact.
• Once a fix is released, we’ll work with you on coordinated disclosure and attribution (if desired).

Thank you for helping us keep the simulator secure.