doiget treats security reports seriously. This file is a pointer so GitHub's Security tab can find the disclosure path. The full normative security policy (threat surfaces, supply-chain controls, and posture) lives in docs/SECURITY.md; the contact channel and SLA live in CONTACT.md.

Please use GitHub Private Vulnerability Reporting:

https://github.com/sotashimozono/doiget/security/advisories/new

Public issues, public discussions, and public pull requests are not the right channel for security reports. If GitHub PVR is unavailable to you, see CONTACT.md §"Security disclosures" for the documented email fallback.

Per CONTACT.md §"Service-Level Agreement":

• First response: within 7 calendar days of receipt (extending up to 14 days during documented extended absence).
• Substantive response: within 30 calendar days.
• Coordinated disclosure is preferred. Reporters who wish to be credited will be acknowledged in CHANGELOG.md and any subsequent advisory.

In scope: doiget-core, doiget-cli, doiget-mcp (under crates/).

Out of scope:

• Third-party services queried by doiget (Crossref, Unpaywall, arXiv, etc.). Report those to the respective providers.
• TDM features (Phase 5; opt-in user builds gated by a Cargo feature flag per ADR-0002) unless the issue also affects the default build.
• The contents of fetched PDFs (ADR-0003).

See CHANGELOG.md for the current release state.

• docs/SECURITY.md — NORMATIVE security policy (threat surfaces, supply-chain controls, eight-safeguard legal stance per ADR-0019, no telemetry per ADR-0015).
• CONTACT.md — contact channel, SLA, and email fallback.