We take security seriously, especially where systems touch community wellbeing, sensitive context, or governance workflows.

This policy applies to:

• Code and tooling in KindPath repositories
• Website deployments and public infrastructure (where applicable)
• Configuration issues that expose secrets, credentials, or private data

• Open a public Issue for vulnerabilities that could be exploited
• Post credentials, API keys, tokens, or private data in public threads

Email:

• sam@kindpathcollective.org Subject line:
• [SECURITY]

Include:

• Where the issue is (repo + file/path + version/commit if possible)
• Impact (what could happen if exploited)
• Reproduction steps (proof-of-concept if safe)
• Any suggested mitigation or patch ideas (optional)

We will:

• Acknowledge receipt
• Assess severity and scope
• Coordinate a fix and a responsible disclosure plan

Please give us a reasonable window to investigate and patch before public disclosure. If you believe users are at immediate risk, say so clearly in your report.

If you report responsibly, you’re helping protect people — and we appreciate it.