We take security seriously. Thank you for helping keep Trace and its users safe.

Do not report security issues through public GitHub issues.

Email security@graycode.ai with:

1. Clear description of the vulnerability
2. Impact assessment
3. Steps to reproduce
4. Affected versions (if known)
5. Suggested fix (optional)

All reports are kept confidential.

In scope:

• The Trace CLI (trace binary)
• Official GrayCode AI repositories
• Trace services at graycode.ai

Out of scope:

• Third-party dependency issues (report upstream)
• Social engineering
• Denial of service attacks
• Issues requiring physical device access

Advisories are issued for vulnerabilities exploitable by remote or non-local actors.

Local-only issues (ReDoS in local execution, resource exhaustion requiring local access) are treated as bug reports — use GitHub Issues.

Thank you for responsible disclosure.