Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in sparQ, please report it responsibly.

Do NOT file a public GitHub issue for security vulnerabilities.

Include:

Acknowledgment: Within 48 hours of receipt
Initial assessment: Within 5 business days
Fix or mitigation: Varies by severity —
- Critical: 72 hours
- High: 1 week
- Medium/Low: Next scheduled release

This policy applies to:

We appreciate responsible disclosure and will credit reporters (with permission) in release notes when vulnerabilities are addressed.