# Security Policy

## Supported Versions

| Version | Supported |
|---------|-----------|
| v0.3.x  | Yes       |
| < v0.3  | No        |

## Reporting a Vulnerability

If you discover a security vulnerability in Espilon, please report it responsibly.

**Do NOT open a public issue.**

Send an email to: **espilon-security@proton.me**

Include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Suggested fix (if any)

You will receive a response within 72 hours. We will work with you to understand and address the issue before any public disclosure.

## Scope

This policy covers:
- ESP32 firmware (`espilon_bot/`)
- C3PO control server (`tools/C3PO/`)
- Cryptographic implementation (ChaCha20-Poly1305, HKDF)
- Network protocols and command dispatch

## Responsible Disclosure

We ask that you:
- Allow reasonable time to fix the issue before public disclosure
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Do not access or modify data belonging to others