If you discover a security vulnerability in ArkSim, please report it responsibly.

Do not open a public issue.

Instead, email support@arklex.ai with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

1. Acknowledgment - We will acknowledge your report within 48 hours.
2. Assessment - We will assess the severity and impact within 5 business days.
3. Fix - We will work on a fix and coordinate disclosure with you.
4. Release - Security fixes are released as patch versions (e.g., 0.2.x).
5. Disclosure - We will credit reporters in the release notes unless anonymity is requested.

The following are in scope for security reports:

• Vulnerabilities in the arksim Python package
• Security issues in example code that could mislead users
• CI/CD pipeline security weaknesses
• Dependency vulnerabilities with known exploits

The following are out of scope:

• Vulnerabilities in third-party dependencies without a known exploit
• Issues requiring physical access to the machine
• Social engineering attacks