If you discover a security vulnerability in Ward, please report it responsibly.

Do NOT open a public issue for security vulnerabilities.

Instead, please email security concerns to the project maintainers directly.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

• We will acknowledge receipt within 48 hours
• We will provide a detailed response within 7 days
• We will work with you to understand and resolve the issue

This security policy applies to:

• @useward/instrumentation (Next.js instrumentation SDK)
• @useward/mcp (MCP server)
• @useward/devtools (Local development dashboard)

When using Ward:

• Only run devtools in development environments
• Do not expose devtools port (19393) to public networks
• Keep dependencies updated

Thank you for helping keep Ward secure.