Do not open public issues for vulnerabilities, leaked secrets, authentication bypasses, privacy problems, or anything that could put users, customers, or infrastructure at risk.

Email security@iammara.com with:

• The affected repository and commit, tag, or deployed URL.
• A clear description of the issue.
• Reproduction steps or proof of concept, if safe to share.
• Impact and any data exposure you believe is possible.
• Your preferred contact method for follow-up.

We will acknowledge valid reports as soon as practical, investigate, and coordinate a fix before public disclosure.

This policy applies to Mara public repositories. It does not authorize testing against production systems, customer data, third-party services, social engineering, denial-of-service attacks, or access to data you do not own.