Replace this section with the supported versions for diffbudget.

Example:

| Version | Supported |
| --- | --- |
| .x | Yes |
| < .0 | No |

If the project does not publish versioned releases yet, say that clearly.

Please do not report suspected vulnerabilities in public issues, pull requests, or discussions.

Ask maintainers for the private security reporting path before sharing details.

If no private reporting path exists yet, ask maintainers through public project channels for a private reporting path. Do not include exploit details, secrets, personal data, or sensitive technical details in public messages.

When a private reporting path is available, include:

• A clear description of the issue.
• Affected versions, files, packages, workflows, or configuration.
• Steps to reproduce, proof of concept, or attack scenario when safe to share.
• Potential impact.
• Suggested mitigation, if known.

Maintainers review good-faith reports as capacity allows.

Do not imply paid support, guaranteed response times, guaranteed fixes, or service-level agreements unless diffbudget explicitly provides them.

In scope:

• Vulnerabilities in diffbudget.
• Insecure default configuration shipped by this project.
• CI, release, or dependency guidance maintained by this project.

Out of scope:

• General support requests.
• Requests for guaranteed maintenance timelines.
• Issues in unrelated downstream projects.

Coordinate disclosure with maintainers before publishing vulnerability details.

DiffBudget does not need network access for init, scan, report, or doctor. Please report any accidental secret exposure, unsafe path handling, or unexpected network behavior as a security issue.

Reports should be reviewed before sharing outside a private team, especially when custom configuration disables redaction.