To report a vulnerability, email mahmood.ahmad2@nhs.net with
subject [SECURITY] or use GitHub's private vulnerability reporting.
7-day acknowledgement; 30-day fix-or-mitigation SLA for confirmed issues.
Automated checks: CodeQL, Dependabot, pip-audit (manual).