We take the security of devenv seriously. If you believe you've found a security vulnerability, please follow these steps:

1. Do NOT disclose the vulnerability publicly (no GitHub issues, public discussions, etc.)
2. Email us at [email protected] with:
   • A description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Any additional information that might be helpful

• We will acknowledge receipt of your report within 2 business days
• We will provide an initial assessment of the report within 5 business days
• We will keep you informed of our progress
• After the vulnerability is fixed, we will publicly acknowledge your responsible disclosure (unless you prefer to remain anonymous)

We prefer coordinated disclosure:

1. The issue is first reported privately
2. Issues are fixed in the repository
3. A release containing the fix is published
4. After an appropriate time window (to allow users to update), the vulnerability details are published

Thank you for helping keep devenv and its users safe!