We take the security of Polingo seriously and appreciate responsible disclosures that help keep our users safe.

Security fixes are prioritized for:

• The current main branch.
• All published npm releases within the last six months.

Older releases may receive fixes on a best-effort basis only.

Please email security@polingo.dev with the following details:

• A clear description of the issue and potential impact.
• Steps to reproduce, including sample code or configuration if applicable.
• Any relevant logs, stack traces, or proof-of-concept exploit.
• Whether the vulnerability has been disclosed publicly.

We ask that you do not open a public GitHub issue for security reports.

1. A maintainer will acknowledge your report within five business days.
2. The team will investigate, confirm scope, and determine severity.
3. We will coordinate any necessary fixes and prepare an advisory.
4. We will keep you informed of progress and expected timelines.
5. Once a fix is available, we will publish a security release and credit you (with your permission).

• Make a good faith effort to avoid privacy violations, data destruction, or service disruption.
• Limit testing to your own environments. Do not exploit the vulnerability beyond what is necessary to prove its existence.
• Give us a reasonable amount of time to remediate before publicly disclosing.

Please use GitHub issues for bug reports or feature requests that are not security related. For conduct concerns, contact conduct@polingo.dev as noted in our Code of Conduct.

Thank you for helping secure Polingo!