Security fixes are applied to the main branch and the most recent tagged release. Older releases may receive fixes at the maintainers' discretion when the vulnerability is critical and the patch is low risk.

We take security seriously. If you discover a vulnerability, please follow the steps below:

1. Email security@shippy.dev with the subject line Vulnerability Report.
2. Include a detailed description of the issue, the steps required to reproduce it, and any potential impact.
3. Do not open a public GitHub issue before we have had a chance to investigate and release a fix.

You will receive an acknowledgement within two business days. We will keep you informed about the progress and notify you when the fix is released.

• We aim to release fixes within 30 days of receiving a report.
• After the patch is available, we will coordinate a disclosure timeline with the reporter.
• Credit will be given to reporters who wish to be acknowledged.

• Rotate all secrets stored in .env files regularly and never commit them to the repository.
• Use strong, unique passwords for all infrastructure accounts.
• Enforce least-privilege access for databases, storage buckets, and third-party services.
• Monitor logs for suspicious authentication attempts and API traffic anomalies.