We take security seriously. Thanks for helping keep GameCI and its users safe.

Please do not open a public issue.

Email maintainers@game.ci with:

• A description of the issue
• Steps to reproduce
• Affected repository, version, or workflow
• Potential impact

If you would like to encrypt your report, ask us for a public key in your first message.

• Acknowledgement within 3 business days
• Initial assessment within 7 business days
• Updates at least every 14 days until resolved
• Credit in the release notes once a fix ships, if you would like it

We follow coordinated disclosure. Please give us a reasonable window to ship a fix before sharing details publicly. We will work with you on the timing.

In scope:

• Repositories under the game-ci organisation
• Published GitHub Actions, Docker images, and npm packages maintained by GameCI

Out of scope:

• Third-party dependencies (please report upstream)
• Issues in user forks or unrelated projects

Thanks for contributing to a safer ecosystem!