Security fixes are prioritized for the latest released protocol and SDK versions.

Please report vulnerabilities privately to gc@gustycube.xyz.

Include:

• Affected component and version
• Reproduction steps or proof of concept
• Impact assessment

Do not disclose vulnerabilities publicly until a fix is available.

• Initial acknowledgment: within 3 business days
• Triage and severity decision: within 7 business days
• Fix timeline: based on severity and exploitability

For disclosure process details, see docs/SECURITY_DISCLOSURE.md.