If you discover a security vulnerability in Synth, please report it responsibly:

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Instead, email security concerns to the maintainers via GitHub's private vulnerability reporting:
   • Go to https://github.com/pulseengine/synth/security/advisories/new
3. Include a description of the vulnerability, steps to reproduce, and potential impact

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Fix & Disclosure: Coordinated with reporter

This policy covers the Synth compiler toolchain. For vulnerabilities in dependencies, please report to the respective upstream projects.