Please do NOT report security vulnerabilities through public GitHub issues.

Instead, use one of these channels:

1. GitHub Security Advisories (preferred): Go to Security → Advisories → New draft advisory to report privately.

2. Email: Create a private advisory on GitHub (no public email for security reports).

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Impact assessment (if known)

• Acknowledgment: within 48 hours
• Initial assessment: within 7 days
• Fix or mitigation: depends on severity (critical: ASAP, high: 14 days, medium: 30 days)

• You will receive an acknowledgment with a tracking reference
• We will keep you informed of progress toward a fix
• We will credit you in the release notes (unless you prefer anonymity)
• We will NOT take legal action against researchers who follow responsible disclosure

All release builds are signed via SignPath Foundation (Authenticode). See CODE_SIGNING_POLICY.md for details.

• DPAPI encryption for stored credentials (Windows Data Protection API)
• No plaintext secrets in configuration files
• CI security scanning via CodeQL (weekly) and SonarCloud (per push)
• Dependency scanning via GitHub Dependabot
• Code review required for all pull requests

mRemoteNG uses legitimate Windows APIs (SendInput, DPAPI, COM Interop) that may trigger heuristic antivirus detections. These are false positives. See docs/ANTIVIRUS_FALSE_POSITIVE.md for details.