This is the org-wide default policy for coldqubit projects; a project's own SECURITY.md always wins where it exists.

Please do not open a public issue for security problems. Instead use GitHub's private vulnerability reporting on the affected repository, or email info@coldqubit.org.

Include: the affected project and version (or image tag), reproduction steps, and impact. We aim to acknowledge within 72 hours and to provide a remediation timeline after triage.

coldqubit projects are early (0.x); security fixes land on each project's main and its latest tagged release.