• Email security@shelby.xyz with Security Report in the subject line.
• Include affected product/service, version or commit, impact, reproduction steps, and any relevant logs or proof-of-concept.
• Please do not open public GitHub issues for security problems.

We monitor the security inbox on business days and will acknowledge new reports as quickly as we can. If you have not received a response within five business days, feel free to follow up on the same thread.

Once a report is validated, we will work with you to investigate, remediate, and coordinate disclosure. We may request additional information or a safe channel for sharing sensitive artifacts.

We do not currently run a public bug bounty program or offer monetary rewards. We still appreciate responsible disclosures and will credit researchers when possible.

• Our current security.txt file lives at: https://shelby.xyz/security.txt
• For non-security issues (bugs, feature requests, questions), please continue to use the standard GitHub issue templates referenced in README.md.