This file exists so GitHub's "Report a vulnerability" button surfaces the policy from any tab in the repository UI. The canonical policy lives at the repository root.

See /SECURITY.md for:

• How to report a vulnerability (private security advisory or security@gonext.io).
• Response SLAs (24h acknowledgement, 7d initial assessment, 90d coordinated disclosure default).
• What is in scope versus out of scope.
• Safe-harbor language for good-faith researchers.

See also:

• /docs/15-security-policy.md — full policy, threat model summary, hardening defaults, plugin author expectations, breach recovery runbook.
• /docs/16-bug-bounty.md — bounty tiers, report template, payout terms.
• /.well-known/security.txt — RFC 9116 machine-readable summary.

Do not open a public GitHub issue for a security vulnerability. Use the private advisory form instead.