# Security policy for CxLLM-OS-APP

## Reporting a vulnerability

Please email **security@cxllm-studio.com** with:

- A description of the vulnerability and its impact.
- Steps to reproduce, ideally with a minimal proof-of-concept.
- The affected version(s) / commit SHAs.

We aim to acknowledge within **2 business days** and to publish a fix or
mitigation within **30 days** for high-severity issues.

Do **not** open a public Gitea / GitHub issue for vulnerabilities.

## Supported versions

Only the `main` branch and the most recent tagged release receive security
updates.