We take the security of LeavePulse and its public libraries seriously. Thank you for helping keep the platform and its users safe.

Please do not report security vulnerabilities through public issues, pull requests, or discussions.

Instead, report them privately through GitHub's private vulnerability reporting:

1. Go to the affected repository's Security tab.
2. Click Report a vulnerability to open a private advisory.
3. Describe the issue with enough detail for us to reproduce it.

If private reporting is unavailable for a given repository, open a minimal issue asking us to enable it — without disclosing the vulnerability — and we will follow up privately.

A good report typically contains:

• The affected repository, component, and version or commit.
• A description of the vulnerability and its potential impact.
• Step-by-step reproduction instructions or a proof of concept.
• Any relevant logs, payloads, or configuration (with secrets redacted).

• We aim to acknowledge new reports within a few business days.
• We will keep you informed about our progress toward a fix.
• We will coordinate public disclosure with you once a fix is available.
• We will credit reporters who wish to be acknowledged.

This policy covers the repositories in the LeavePulse organization. The majority of the platform's application code is private; the public repositories are the shared libraries and SDKs. Reports against either are welcome.