RhoeJSON accepts responsible disclosure for vulnerabilities affecting JSON parsing, JSON5 parsing, JSONPath queries, JSON Pointer/Patch mutation, schema validation, structured-format conversion, streaming, binary codecs, the CLI, the preview daemon, WebAssembly integration, and the optional macOS Apple Foundation Models system API.

The first supported public line is 0.1.x after the initial public release is tagged.

Before GitHub private vulnerability reporting is enabled on the public repo, contact the RhoePlatform maintainers privately through the organization security channel. Do not open public issues for suspected vulnerabilities.

Please include:

• A clear description of the vulnerability.
• Minimal reproduction steps or a proof of concept.
• Affected package targets, platforms, and versions.
• Any known impact on confidentiality, integrity, availability, local preview routing, file watching, process boundaries, or sandbox assumptions.

Maintainers will acknowledge valid reports, triage severity, prepare a fix on a private branch if needed, and publish coordinated release notes once remediation is available.

The JSONSchemaAIGenerator surface is an optional Apple system API wrapper. It is compiled only on macOS when Apple's FoundationModels framework is available. Linux CI and Linux packages must not compile or expose that API surface.

Security fixes and advisories for this repository are governed by the Apache 2.0 license in LICENSE.