This file mirrors the GitHub-facing entry points for security disclosure. The canonical security policy lives at SECURITY.md in the repository root.

1. Do not open a public issue.
2. Email security@peacprotocol.org or open a private advisory at https://github.com/peacprotocol/peac/security/advisories.
3. Include affected versions, reproducer, observed versus expected behavior, and your impact assessment.

Acknowledgement targets:

• Critical: 48 hours.
• High: 72 hours.
• Medium: 7 days.
• Low: 14 days.

Patch-and-disclosure timelines, supply-chain attestations, and the full trust-artifact index are documented in the canonical SECURITY.md.

See SECURITY.md: Supported versions for the authoritative list.

• Threat model.
• Stability contract.
• SLO.
• Security operations.
• Trust artifacts.