# Security Policy

## Supported Versions

| Version | Supported |
|---------|-----------|
| 0.1.x   | Yes       |

## Reporting a Vulnerability

If you discover a security vulnerability, **please do not open a public issue.**

Instead, email **security@consentos.dev** with:

- A description of the vulnerability
- Steps to reproduce
- Any relevant logs or screenshots
- Your assessment of severity

We aim to acknowledge reports within **48 hours** and provide a fix or mitigation plan within **7 days** for critical issues.

## Scope

The following are in scope for security reports:

- The ConsentOS API (`apps/api/`)
- The consent banner script (`apps/banner/`)
- The scanner service (`apps/scanner/`)
- The admin UI (`apps/admin-ui/`)
- Docker and Helm deployment configurations

## Responsible Disclosure

We ask that you give us reasonable time to address any reported vulnerabilities before disclosing them publicly, remembering that this is a free, open source project and not paid work. We are happy to credit researchers who report valid issues (unless you prefer to remain anonymous).