We take the security of Restless seriously. If you discover a security vulnerability, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please use one of these methods:

1. GitHub Security Advisories (Preferred)

   • Navigate to the Security tab of this repository
   • Click "Report a vulnerability"
   • Provide details of the vulnerability

2. Direct Contact

   • Contact the maintainers directly through GitHub

Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial Response: Within 48 hours
• Triage: Within 7 days
• Fix (Critical): Within 14 days
• Fix (High/Medium): Within 30 days
• Fix (Low): Within 90 days

We appreciate responsible disclosure. Contributors who report valid security issues may be acknowledged in:

• Release notes
• Security advisories
• CONTRIBUTORS file (with permission)

When using Restless:

1. Never commit secrets to version control
2. Use environment variables for tokens and credentials
3. Run in isolated environments when testing against production APIs
4. Review scan results before sharing - they may contain sensitive data
5. Keep dependencies updated for latest security patches

This security policy applies to:

• The APIGuardian CLI tool
• The web dashboard
• Official Docker images
• Documentation

Third-party forks and modifications are outside our scope.