If private vulnerability reporting is enabled for arpahls/legacy-protocol, use it for sensitive issues (loss of funds, policy bypass, unauthorized execution).

If it is not enabled, contact maintainers through the channel published on github.com/arpahls. Do not post full exploit chains in public issues before coordination.

As smart contracts and operational components are added to this repository, this file will list in-scope paths and out-of-scope items (for example third-party frontends not maintained here).

Security researchers who report valid issues may be credited in release notes or a hall of fame at maintainer discretion.