If you discover a security vulnerability in SAGE, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email the author directly via GitHub: @l33tdawg
3. Include a description of the vulnerability, steps to reproduce, and any relevant logs or screenshots

• Acknowledgement: Within 72 hours of report
• Assessment: Within 7 days
• Fix or mitigation plan: Within 30 days

Reporters will be credited in the changelog unless anonymity is requested.

• SAGE Personal (sage-gui): Single-user, localhost-only. Primary attack surface is the local REST API on port 8080.
• SAGE Enterprise: Multi-node BFT consensus. Broader attack surface including inter-validator communication, RBAC, and federation.

For a detailed security analysis, threat model, and known limitations, see SECURITY_FAQ.md.