Please report suspected vulnerabilities privately by emailing hello@thalovant.com.
Do not open a public issue for a suspected vulnerability. Include the affected repository or package, the observed behavior, and the minimum reproduction details needed to investigate. Do not include real credentials, customer data, or private exploit details in public channels.
The maintainers will acknowledge critical reports within one hour and high severity reports within one business day. The remediation targets are 24 hours for critical findings and seven days for high findings.
This organization-level policy applies to Thalovant repositories that do not
contain a more specific local SECURITY.md.