# SECURITY POLICY — World Transparency Graph (WTG)

Policy-Version: v1.0.0  
Effective-Date: 2026-02-28  
Owner: WTG Governance Team

## Reporting vulnerabilities

Use GitHub Security Advisories for responsible disclosure:

- Private report path: repository `Security` tab -> `Report a vulnerability`.
- Do not disclose exploit details publicly before triage.

## Supported versions

Security support applies to:

- Latest `main` release line.
- Most recent tagged public release.

Older snapshots may not receive security fixes.

## Disclosure SLA targets

Target response windows:

- Acknowledgement: within 72 hours.
- Initial triage: within 7 calendar days.
- Mitigation plan: as soon as reproducibility and impact are confirmed.

These targets are best-effort goals, not guaranteed contractual commitments.

If a report is out of scope or non-actionable, rationale will be documented in the advisory workflow.