If you discover a security vulnerability in any project within the WinCC OA Tools Pack, thank you for reporting it responsibly.

• Preferred: Open a confidential report by emailing mailto:security@winccoa-tools-pack.example (replace with your org email) with a clear subject and steps to reproduce. Attach logs, versions and an impact assessment if available.
• Alternative: If you cannot email, create a new issue labeled security in this repository. Note that private or restricted issues require organization settings; maintainers will triage and move sensitive details to a private channel if needed.

Important: Replace the placeholder email address <security@winccoa-tools-pack.example> with your real security contact before publishing this repository or copying this SECURITY.md into other projects.

• We will acknowledge reports within 3 business days.
• Critical vulnerabilities will receive an initial response and mitigation plan within 5 business days.
• We aim to publish fixes within a reasonable timeframe and will coordinate public disclosure with the reporter.

• Coordinated disclosure is preferred. Do not publicly disclose the vulnerability until a fix has been released or an agreed timeline has elapsed.
• If you are a security researcher, include contact details and allow the maintainers reasonable time to respond.

• When a patch is available, it will be published in the repository with a security advisory and release notes.
• We will backport fixes to supported branches where feasible.

• Reporters who follow responsible disclosure may be acknowledged in the project security advisory and/or SECURITY.md, unless they request anonymity.