# Security Policy

This security policy applies to public projects under the [Kit organization](https://github.com/kit) on GitHub.

## Reporting a Vulnerability

If you discover a security vulnerability, please report via any of the below:

- [Kit](https://kit.com/report-vulnerability)
- [PatchStack](https://patchstack.com/database/vdp/b599634b-6960-4d4b-bb14-bd00c08392b0)
- [GitHub](https://github.com/Kit/convertkit-woocommerce/security/advisories)
- [Email](mailto:security@kit.com)

Please do **not** report security issues publicly via GitHub issues or discussions. Security reports sent via the above channels be acknowledged within 48 hours.

## Security Disclosure Process

When reporting a security vulnerability, please include:

1. **Description** - A clear description of the vulnerability
2. **Impact** - What kind of vulnerability it is and who it impacts
3. **Reproduction** - Detailed steps to reproduce the issue
4. **Proof of Concept** - If applicable, include proof-of-concept code
5. **Suggested Fix** - If you have ideas for how to fix the issue

## Security Response Timeline

- **Initial Response**: Within 48 hours of receiving the report
- **Investigation**: We will investigate and validate the reported vulnerability
- **Fix Development**: Development of a patch or mitigation strategy
- **Release**: Coordinated disclosure and release of security update
- **Public Disclosure**: After users have had time to upgrade