If you discover a security vulnerability in Comber, please report it privately by opening a GitHub Security Advisory:

https://github.com/wolkat/comber/security/advisories/new

Please do not report security vulnerabilities via public GitHub issues.

You should receive an acknowledgement within 48 hours. Once the issue is triaged, we will work on a fix and coordinated disclosure.

This policy covers the Comber toolkit itself -- the PowerShell scripts in scripts/ and the configuration templates in config/. Pipeline output files are regenerable and not considered part of the security boundary.