<!-- DRAFT / REDUNDANT STUB — for the OSS-readiness audit only.

     A complete, public security policy ALREADY EXISTS at
     oss/overlay/SECURITY.md (covers supported versions, private vulnerability
     reporting, and a deployment-hardening baseline). It is sufficient for OSS.

     This file exists only so the audit can point to "SECURITY coverage = yes"
     and should be DELETED once the existing oss/overlay/SECURITY.md is accepted.
     Do NOT publish this stub. -->

# Security Policy (DRAFT stub — see oss/overlay/SECURITY.md)

The authoritative security policy is **[oss/overlay/SECURITY.md](../oss/overlay/SECURITY.md)**,
which ships publicly as `SECURITY.md`. It covers:

- Supported versions (latest release + `main`).
- Private vulnerability reporting (no public issues for undisclosed vulns;
  use the host's private reporting feature or contact the owner; 7-day ack).
- Deployment baseline (localhost until OAuth, TLS reverse proxy,
  `safety.bash_sandbox: always`, secret hygiene, `/metrics` restriction,
  tool/integration review).

No separate top-level `SECURITY.md` is needed. Delete this draft after confirming
the overlay policy.