Please report security vulnerabilities privately: do not open a public issue or PR.
Use GitHub's private vulnerability reporting: the repository's Security tab → Report a vulnerability. We'll acknowledge the report and keep you posted on the fix and disclosure.
Security fixes are released against the latest published version of @simmit/sdk.
This policy covers the @simmit/sdk package and this repository. Issues with the Simmit API or service itself should go through your account's support channel.