Report suspected vulnerabilities to security@intentproof.io. If you need to share sensitive details before a public encryption key is published, open a private GitHub Security Advisory draft in this repository or send an initial unclassified message to arrange a secure channel.

Please include:

• Affected package, SDK API, signing path, outbox behavior, release artifact, or workflow.
• Impact and exploitation conditions.
• Reproduction steps or proof-of-concept details when safe to share.
• Whether the issue is already public or shared with anyone else.

IntentProof follows the coordinated security-release process published in IntentProof/intentproof-infra. That policy defines severity tiers, SLAs, embargo handling, public disclosure, and dependency-scanning rules.

Do not report security vulnerabilities through public GitHub Issues unless the issue is already public and contains no sensitive exploitation detail.