This repository hosts discussions about computational multiphase physics research. As a discussions forum, it does not contain production code or services. However, discussions may reference code, data, or computational methods that could have security implications.

• Exposure of sensitive data - Accidentally posted credentials, API keys, or private data
• Malicious code - Code snippets designed to harm systems or steal data
• Phishing or impersonation - Accounts pretending to be lab members or others
• Platform vulnerabilities - GitHub security issues affecting this repository
• Doxxing - Unauthorized disclosure of personal information

• General GitHub issues - Report to GitHub Security
• Issues with referenced code - Report to the repository where the code lives
• Paper ethical concerns - Contact the journal or institution directly

If you discover a security issue that should not be publicly disclosed:

1. Do not post in discussions - This would make the issue public
2. Contact the lab directly - Use contact information from comphy-lab.org
3. Provide details:
   • Description of the issue
   • Link to the discussion or comment (if applicable)
   • Potential impact
   • Steps to reproduce (if relevant)

If you accidentally posted credentials or sensitive information:

1. Revoke the credentials immediately - Change passwords, rotate keys
2. Edit your comment - Remove the sensitive data
3. Contact maintainers - We can help ensure data is not cached
4. Document the incident - Note what was exposed and when it was revoked

If you have questions about security implications of discussed methods:

1. Start a discussion in the appropriate category
2. Be clear about your security concern
3. Avoid posting potentially vulnerable code publicly

• Critical issues (exposed credentials, active threats): Within 24 hours
• Important issues (potential vulnerabilities): Within 3 business days
• General concerns: Within 5 business days

1. Acknowledgment - We confirm receipt of your report
2. Assessment - We evaluate the severity and impact
3. Action - We take appropriate steps (remove content, contact GitHub, etc.)
4. Follow-up - We inform you of the resolution

• Never include credentials - No API keys, passwords, tokens, or private keys
• Sanitize file paths - Remove usernames and identifying information
• Use dummy values - Replace real URLs, IPs, or hostnames with examples
• Review before posting - Double-check that no sensitive data is included

• Respect data privacy - Don't post data you don't have rights to share
• Check collaborator agreements - Ensure you're allowed to share results
• Anonymize if needed - Remove identifying information from datasets

• Don't describe security weaknesses of production systems
• Don't share infrastructure details that could enable attacks
• Do discuss general computational security in appropriate academic context

If you discover a security issue in code or methods discussed here:

1. Assess the impact - Is this actively exploitable?
2. Contact the responsible party - Reach out to code authors or maintainers
3. Allow time for fixes - Give reasonable time before public disclosure
4. Coordinate disclosure - Work with maintainers on appropriate announcement

Standard practice in academic security research is to allow 90 days for remediation before public disclosure.

For questions about this security policy or unclear situations:

• Review CONTRIBUTING.md for general guidelines
• Start a discussion in the General category for non-sensitive questions
• Contact the lab directly for sensitive inquiries

This policy may be updated as needed. Changes will be announced in the discussions forum.

Key Principle: When in doubt about whether something is sensitive, treat it as sensitive. It's better to be cautious than to expose security issues.