# ClearGlassInc Artemis Security Policy

## Scope
This policy applies to the public ClearGlassInc Artemis GitHub Pages and supporting documentation repository.

## Supported versions
| Branch / Version | Supported |
| --- | --- |
| `main` (current production content) | ✅ |
| Legacy snapshots and archived exports | ⚠️ Best effort |

## Reporting a vulnerability
Report vulnerabilities privately by opening a GitHub private vulnerability report:

https://github.com/ClearGlassInc/ClearGlassInc.github.io/security/advisories/new

If GitHub private vulnerability reporting is unavailable, email the security owner at
`security@clearglassinc.com` with the subject prefix `[SECURITY] ClearGlassInc Artemis`.
Do not open a public issue for suspected vulnerabilities, secrets, authentication bypasses,
or exploit details.

Please include:
- impacted file, endpoint, or feature;
- reproducible steps;
- potential impact and exploit conditions;
- proof-of-concept (if safe and lawful).

## Response timeline
- **Acknowledgment:** within 1 business day
- **Initial triage:** within 3 business days
- **Status updates:** at least every 5 business days until closure

## Safe harbor expectations
Good faith security research is permitted when it:
- avoids service disruption;
- avoids unauthorized data access, exfiltration, or persistence;
- remains within legal and ethical boundaries;
- is reported promptly and confidentially.

## Disclosure process
- Coordinated disclosure is preferred.
- Public disclosure should follow remediation or mutual agreement.
- Severity scoring and remediation decisions are handled by the ClearGlassInc Artemis security owner.

## Security commitments
ClearGlassInc Artemis follows secure by design principles including least privilege, access control, logging, and policy-driven change management.
