Please report vulnerabilities privately through GitHub Security Advisories or the published project security contact.

Do not disclose vulnerabilities publicly until maintainers have reviewed and coordinated a response.

Reports may include:

• Unsafe file handling
• Secret leakage risk
• Unsafe renderer behavior
• Dependency vulnerabilities
• SSRF or unsafe URL handling
• Result serialization issues

Structora Core does not support or accept reports related to building checkout automation, captcha solving, credentialed abuse, payment submission, or bypass tooling.

Structora Core is read-only by design. It analyzes structure and produces discovery output. It does not submit forms, perform transactions, authenticate sessions, bypass access controls, or automate user actions.

The v0.1.0-alpha release is an alpha-quality public infrastructure release. Security reports should focus on repository safety, unsafe file handling, accidental secret exposure, unsafe rendering assumptions, dependency vulnerabilities, and result serialization issues.