Do NOT open a public issue for security vulnerabilities.

If you discover a security bypass or any vulnerability in Crust, please report it privately using one of these methods:

1. GitHub Private Vulnerability Reporting (preferred): Go to the Security Advisories page and click "Report a vulnerability"

2. Email: security@bakelens.com

• Crust version (crust version)
• Operating system and version
• Which security layer was bypassed (Layer 0/1)
• Steps to reproduce
• Impact assessment

• Acknowledgment: within 48 hours
• Initial assessment: within 7 days
• Fix timeline: depends on severity, typically within 30 days for critical issues

The following are in scope:

• Rule engine bypasses (Layer 0/1)
• Path traversal or glob matching bugs
• Network filter bypasses
• Privilege escalation

We will not pursue legal action against security researchers who:

• Make a good faith effort to avoid privacy violations and data destruction
• Report vulnerabilities privately before any public disclosure
• Give us reasonable time to address the issue before disclosure