Please do not open public issues for security reports.

Use GitHub's private reporting flow:

1. Open the repository Security tab.
2. Click Report a vulnerability.
3. Include reproduction steps, impact, and affected version/branch.

If private reporting is unavailable, contact a maintainer directly and share details privately.

• Initial triage response: within 7 days.
• Status update after validation: within 14 days.
• Fix timeline depends on severity, exploitability, and release risk.

This policy covers the DUMB backend codebase and repository workflows. Related projects (like dmbdb) may have separate policies.