Security fixes target the latest stable release. Backports are evaluated by impact and effort.

Please report privately to suporte@mitg.gg with:

• Summary, impact, and severity (if known)
• Reproduction steps or PoC
• Affected version/commit and environment
• Your contact and preferred disclosure timeline

We aim to acknowledge within 72h and provide a first status update within 7 days.

Do not create public issues or PRs describing the vulnerability.

• We confirm, triage, and assign a CVSS-like severity.
• We develop and validate a fix; you may be asked to verify.
• We coordinate a disclosure date and publish release notes.
• Credit is given (optional) after users have a reasonable update window.

• Code in this repository
• Default configurations provided here

Out of scope (examples):

• Social engineering, physical attacks
• Typos, missing best-practices sem impacto de segurança
• DoS volumétrico sem bypass/bug no software
• Relatos sem PoC ou sem impacto demonstrável

We will not pursue legal action for good-faith research that:

• Respects privacy and does not access third-party data
• Avoids service disruptions
• Maintains confidentiality until correction/coordinated disclosure

Please keep all discussion private until we release a fix. After disclosure, prefer PRs/Issues for non-sensitive items.

If you wish to encrypt your report, request our PGP key at suporte@mitg.gg.

If the issue is in a dependency, we may forward the report to the upstream project and coordinate timelines.

• Email: suporte@mitg.gg
• (Optional) Discord for coordination after initial email: https://discord.gg/mitg