If you discover a security vulnerability in the Gap Score reference validators or specification, please report it responsibly.

1. Do not open a public issue for security vulnerabilities
2. Email the maintainer at the address listed on the GitHub profile
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Assessment: Within 7 days
• Fix: Depends on severity, but we aim for prompt resolution

This security policy covers:

• Reference validators (validators/gap-score.py, validators/gap-score.sh) — e.g., input injection, path traversal
• JSON Schema (validators/gap-report-schema.json) — e.g., schema bypass enabling malicious payloads
• Specification (SPEC.md) — e.g., protocol weaknesses that could allow gaming the Gap Score

• Implementations of the spec by third parties (report to those projects directly)
• Sealed test quality (this is a correctness concern, not a security concern)