BAUER GROUP takes the security of our software, services and infrastructure seriously. This policy applies organization-wide and is inherited by every repository under github.com/bauer-group that does not define its own.

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Use one of the private channels below:

1. GitHub private vulnerability reporting (preferred). On the affected repository, open the Security tab and click "Report a vulnerability". This keeps the report private and tied to the code in question.

2. Email. Write to security@bauer-group.com. If you wish to encrypt your report, request our PGP key in an initial (unencrypted) message that contains no sensitive details.

To help us triage quickly, please include where possible:

• The affected repository, product, version/commit, and environment.
• The type of issue (e.g. memory safety, injection, auth bypass, misconfiguration, exposed secret).
• Step-by-step instructions to reproduce, and a proof-of-concept if available.
• The impact and how an attacker might exploit it.

• Acknowledgement within 3 business days.
• Initial assessment (severity and validity) within 10 business days.
• Status updates at least every 10 business days until resolution.
• Coordinated disclosure: we will agree a disclosure timeline with you and credit reporters who wish to be named once a fix is available.

In scope: source code, container images, packages and services published under the BAUER GROUP organization.

Out of scope (please do not test against these): production systems and customer data, denial-of-service / volumetric testing, social engineering, physical attacks, and findings that require privileged local access or a compromised host. Automated scanner output without a demonstrated, exploitable impact is generally considered informational.

We will not pursue or support legal action against researchers who:

• make a good-faith effort to comply with this policy,
• avoid privacy violations, data destruction, and service disruption, and
• give us reasonable time to remediate before any public disclosure.

If in doubt about whether your testing is authorized, ask us first at security@bauer-group.com.

Unless a repository states otherwise, security fixes target the latest released version and the default branch. Older releases are addressed at our discretion based on severity and exposure.

_{Thank you for helping keep BAUER GROUP and our users safe.}