If you discover a security vulnerability in vens, please report it responsibly:

1. Do not open a public GitHub issue
2. Email the maintainers or use GitHub's private vulnerability reporting
3. Include steps to reproduce the vulnerability
4. Allow reasonable time for a fix before public disclosure

We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.

• Dependencies are regularly updated via Dependabot
• Code is scanned with CodeQL on every PR
• OpenSSF Scorecard monitors security posture