If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Use GitHub's private vulnerability reporting
3. Or email: security@example.com

We will acknowledge receipt within 48 hours and provide a timeline for a fix.

envdiff handles .env files which may contain secrets. By design:

• Values are masked by default in output
• The --show-values flag must be explicitly passed to reveal values
• JSON output (--format json, --ci) never includes values
• envdiff never writes to, modifies, or transmits .env files