Please report security issues privately so we can assess impact and ship a fix before details are public.

• Prefer GitHub Security Advisories for this repository: open a draft security advisory or use the “Report a vulnerability” flow from the Security tab when available.
• If you cannot use GitHub, contact the maintainers through a private channel they publish in the repository README or organization profile.

Include:

• A short description of the issue and its impact
• Steps to reproduce (proof-of-concept, versions, configuration)
• Whether you believe the issue is already exploited or public

We aim to acknowledge receipt within a few business days and coordinate disclosure after a fix is ready.

If you need encrypted communication, include your preferred secure contact method in the initial report and we will continue over that channel.

Security fixes are applied to the default branch and released according to the project’s tagging and release process. Use the latest tagged release or the default branch for production deployments when possible.

If you follow good-faith disclosure practices (no data destruction, no sustained service disruption, no privacy violations), we will not pursue legal action for research activities related to this report.