If you discover a security vulnerability in this repository, please report it responsibly. Do not open a public issue.

Email [TODO: INSERT CONTACT EMAIL] with:

• A description of the vulnerability
• Steps to reproduce it
• Any relevant files or links

We will acknowledge your report within 48 hours and aim to provide a fix or mitigation plan within 7 days.

This policy covers the contents of this repository: contribution templates, metadata schemas, CI workflows, and community documentation. It does not cover the upstream Open Brain infrastructure (Supabase instance, MCP server, etc.).

• CI workflows that could be exploited (e.g., script injection via PR titles or branch names)
• Credentials, API keys, or secrets accidentally committed to the repo
• Contribution templates or examples that encourage insecure practices

• Bugs in individual community contributions (report those as regular issues)
• Feature requests or general feedback (use Discussions or Issues)

We are happy to credit reporters in release notes or CONTRIBUTORS.md unless you prefer to remain anonymous.