Please do not report security vulnerabilities through public GitHub issues.

Use GitHub's private Security Advisories feature to report vulnerabilities confidentially. This keeps the details private until a fix is available.

• Description of the vulnerability and its potential impact
• Steps to reproduce or proof-of-concept
• Proxmox VE version and LightOS version where applicable
• Any suggested mitigations you are aware of

We will acknowledge your report within 5 business days and aim to release a fix within 90 days depending on severity. We will keep you informed of progress and coordinate disclosure timing with you.

This policy covers the plugin code in this repository (LightbitsPlugin.pm, install.sh, uninstall.sh). Vulnerabilities in Proxmox VE itself or Lightbits LightOS should be reported to their respective maintainers.