If you discover a security vulnerability in Sona, thank you for reporting it responsibly.

Please follow these steps:

1. Do not publicly disclose the issue.
2. Email sona-dev@hotmail.com with:
   • A short description of the issue
   • Steps to reproduce
   • Any PoC code or sample inputs
3. We will acknowledge receipt within 3 business days and provide an estimated timeline for a fix.

If you cannot use email, open a private support ticket with the project maintainers.

We will respond to security reports for the current release (v0.9.9) and the prior minor release (v0.9.8).

We aim to coordinate disclosure to give users time to update. We reserve the right to release a public advisory once a fix is available or after reasonable notice.