If you discover a security vulnerability in any Statewave repository, please report it responsibly.

• Open a public GitHub issue
• Discuss the vulnerability publicly before it's fixed
• Exploit the vulnerability

1. Email us at: security@statewave.ai

2. Include in your report:

   • Description of the vulnerability
   • Steps to reproduce
   • Affected repository and version
   • Potential impact assessment
   • Any suggested fixes (optional)

3. What to expect:

   • Acknowledgment within 48 hours
   • Initial assessment within 5 business days
   • Resolution timeline communicated based on severity
   • Credit in release notes (if desired)

Statewave maintains security through:

• Dependency Scanning: Dependabot enabled on all repositories
• Code Scanning: GitHub CodeQL analysis on PRs
• CI/CD Security: All PRs require passing security checks
• Secret Management: Secrets via environment variables, never in code
• Access Control: Principle of least privilege for all systems
• Audit Logging: Provenance tracking for all data operations

We believe in responsible disclosure and will:

• Work with you to understand and validate the issue
• Keep you informed of our progress
• Credit researchers who report valid issues (unless anonymity requested)
• Not take legal action against good-faith security research

This policy applies to all Statewave repositories:

• statewave - Core backend
• Python SDK (pip install statewave, source: github.com/smaramwbc/statewave-py)
• TypeScript SDK (npm install @statewavedev/sdk, source: github.com/smaramwbc/statewave-ts)
• statewave-docs - Documentation
• statewave-examples - Examples
• statewave-web - Marketing site + embedded demo
• statewave-admin - Admin dashboard

• Security issues: security@statewave.ai
• General questions: GitHub Discussions