# Security Policy

## Supported Version

WatchLink is pre-release. Security fixes apply to the current `main` branch.

## Reporting

Report vulnerabilities privately to the repository owner. Do not open public issues for secrets, authentication bypasses, or data exposure.

## Baseline Rules

- Do not commit `.env`, tokens, private keys, certificates, or database dumps.
- Change `NEXTAUTH_SECRET` before production use.
- Use a strong Postgres password in production.
- Store Gitea registry credentials in repository or organization secrets.
- Review `docs/security-review.md` before release work.