# Security

## Reporting security issues

If you find a vulnerability or security concern **in the CERG framework itself** (not in an organization that uses it), please report it responsibly:

1. **Do not** open a public GitHub issue for sensitive security findings.
2. Open a [GitHub Security Advisory](https://github.com/m0dernz/CERG/security/advisories/new) or contact the maintainers directly.
3. Allow reasonable time for a response before public disclosure.

## What this covers

This policy covers security issues in the CERG repository — broken access controls in the CI pipeline, exposed credentials, or vulnerabilities in the build/deploy tooling.

For security issues in an **organization that uses CERG**, contact that organization's security team. CERG is a framework; implementation security is the adopter's responsibility.