Report vulnerabilities to security@vibestack.dev with reproduction steps, affected artifacts, and threat impact.
- Acknowledge within 72 hours.
- Initial triage within 7 days.
- Mitigation plan within 14 days for confirmed issues.
- No secrets in repository artifacts.
- Least-privilege credentials for CI and automations.
- Threat-model updates documented in
.vibestack/skills/threat-modeling.md.