Report suspected vulnerabilities or secret exposure to security@trustsignal.dev.
- Include the affected repository, environment, and any known receipt IDs, workflow IDs, or request IDs.
- Do not post sensitive findings in public issues.
- Use private evidence storage for screenshots, logs, or provider console exports.
- Acknowledge receipt within 3 business days.
- Triage severity and containment path before broad disclosure.
- Coordinate remediation and external communication through the incident response plan.