The Kincir team and community take security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

If you believe you have found a security vulnerability in Kincir, please report it to us by emailing security@example.com (replace with a real dedicated email address if available, otherwise, specify to open a confidential issue if the platform supports it, or as a last resort, a regular issue with a clear "Security Vulnerability" title).

Please do not report security vulnerabilities through public GitHub issues.

You should include the following information in your report:

• A clear description of the vulnerability.
• Steps to reproduce the vulnerability.
• The version of Kincir affected.
• Any potential impact you've identified.
• Your name and a way to contact you (optional, for acknowledgment).

• We will acknowledge receipt of your vulnerability report within 48 hours.
• We will investigate the report and determine its validity and severity.
• We will keep you informed of our progress.
• We will publicly disclose the vulnerability once a fix is available, and credit you for the discovery, unless you prefer to remain anonymous.

This policy applies to the latest released version of Kincir and any supported beta versions. Older versions should be updated to the latest release.

While we strive to make Kincir secure, we also recommend users follow security best practices:

• Keep your Kincir version up-to-date.
• Secure your message broker infrastructure.
• Follow the principle of least privilege for applications using Kincir.

Thank you for helping keep Kincir secure!