Please do not open public GitHub issues for security vulnerabilities.

Email security@ockham.sh with:

• A description of the vulnerability
• Steps to reproduce, if applicable
• The affected repository, package(s), and version(s)
• Any potential impact you have identified

You can also use GitHub's private vulnerability reporting on the affected repository (the "Report a vulnerability" button under the Security tab).

• 48 hours: we acknowledge your report.
• 7 days: we provide an initial assessment and an estimated timeline.
• 30 days: we aim to release a fix for confirmed vulnerabilities.

We follow responsible disclosure, coordinate timing with you, and credit reporters in release notes unless you prefer to remain anonymous.

This policy applies across the Ockham repositories: the open-source parsimony data stack (parsimony-core, parsimony-agents, parsimony-connectors) and Ockham Terminal. A repository may add repo-specific notes (for example, self-hosting hardening) in its own SECURITY.md.