We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email the maintainers at security@promptfoo.dev
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: We will acknowledge your report within 48 hours
• Updates: We will keep you informed of our progress
• Resolution: We aim to release a fix within 30 days for critical issues
• Credit: We will credit you in the release notes (unless you prefer to remain anonymous)

This security policy applies to:

• The js-rouge npm package
• The source code in this repository

• Third-party dependencies (please report to the respective maintainers)
• Issues in forks or unofficial distributions

When using js-rouge:

• Keep your dependencies up to date
• Use the latest stable version
• Review the CHANGELOG for security-related updates

For a history of security fixes, see our CHANGELOG and search for entries marked with security-related tags.