# Security Policy

## Supported versions

DocTrust follows the current tagged release and the latest unreleased main branch.

## Reporting a vulnerability

For sensitive issues, use GitHub's private security advisory flow:

- [Report a security advisory](https://github.com/MonkeyTime/doctrust/security/advisories/new)

Please include:

- the affected component,
- a minimal reproduction,
- the expected security impact,
- whether the issue touches the spec, SDKs, demo code, or trust registry behavior.

## What to avoid in public issues

Do not post secrets, private keys, full exploit details, or production payloads in public issues.

## Response expectations

We will triage security reports as soon as practical and prefer coordinated disclosure for anything that could impact real users.