Please do NOT open public issues for security vulnerabilities.

Use GitHub's private vulnerability reporting feature to report security issues.

• Acknowledge: Within 48 hours
• Status update: Within 7 days
• Fix for critical issues: Within 30 days

In scope:

• SDK client-side code
• Server proxy
• WebSocket protocol
• API key handling and session management

Out of scope:

• Browser Speech API bugs
• Third-party LLM provider vulnerabilities
• Issues in example/demo pages

We follow coordinated disclosure. We will credit reporters in the release notes (unless anonymity is requested).