Please do not report security vulnerabilities through public GitHub issues.

Security vulnerabilities in the Semantic Intent Protocol (SIP) should be reported privately so that they can be assessed and addressed before public disclosure.

Use GitHub private vulnerability reporting if it is enabled for this repository. This allows you to submit a report directly to the maintainers without public exposure.

If private vulnerability reporting is not available, contact the maintainers through a private channel. Repository maintainers should define and publish a dedicated security contact address (for example, security@<project-domain>) for this purpose.

When reporting a vulnerability, please provide:

• A clear description of the issue and its potential impact.
• Steps to reproduce or a proof-of-concept, if available.
• The version or commit where the issue was observed.
• Any suggested mitigations, if known.

The SIP maintainers will:

1. Acknowledge receipt of the report in a timely manner.
2. Assess the severity and scope of the issue.
3. Work toward a fix and coordinate a responsible disclosure timeline with the reporter.
4. Credit reporters appropriately in the security advisory, unless anonymity is requested.

Public disclosure will not occur until a fix is available or a reasonable remediation timeline has been agreed upon with the reporter.

This policy covers the SIP reference implementation, Python SDK, protocol specification, and all code in this repository. Issues in third-party dependencies should be reported to the respective upstream maintainers.