We prefer responsible disclosure via GitHub Security Advisories (private). To report a vulnerability, please open a Security Advisory for this repository:
- Go to this repository → Security → Security advisories → Report a vulnerability (this creates a private, GitHub-hosted advisory thread).
- Provide steps to reproduce, impact, and any proof-of-concept (PoC). Attach a trace or screenshot if helpful.
We will acknowledge new reports within 72 hours and aim to coordinate a fix privately. Do not disclose vulnerabilities publicly until the issue is fixed or we have agreed a disclosure timeline.