Vauxl is security and privacy software. We take vulnerability reports seriously and ask that you disclose them responsibly.

Do not open a public issue, discussion, or pull request for a security vulnerability. Public disclosure before a fix puts users at risk.

Instead, report privately by email to security@vauxl.net. Encrypt your report where possible. Include:

• A description of the vulnerability and its impact.
• Steps to reproduce or a proof of concept.
• Affected component and version (client, server, crypto, federation).
• Any suggested remediation.

You may also use GitHub private vulnerability reporting on the affected repository if it is enabled.

• Acknowledgement within 48 hours of receiving your report.
• Assessment and a remediation plan communicated to you after triage.
• Patch target of 7 days for critical vulnerabilities. Lower severity issues are scheduled into the normal release cycle.
• Coordinated disclosure: we agree a disclosure timeline with you and credit you in the advisory unless you prefer to stay anonymous.

This policy covers all repositories in the VauxlNet organisation. Issues in third-party dependencies should be reported upstream, though we appreciate a heads-up so we can pin or patch.

We will not pursue legal action against researchers who follow this policy, act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure.