If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue.
2. Use the GitHub Security Advisory to report privately.
3. Include steps to reproduce, potential impact, and any suggested fixes.

We will acknowledge your report within 5 business days and work with you to resolve the issue.

This policy applies to the HKUDS/Vibe-Trading repository.

• Please do not publicly disclose the vulnerability until we have released a fix.
• We will credit reporters in the release notes (unless you prefer anonymity).