Please do not open public issues for potential security vulnerabilities.
Instead, report privately with:
- A clear description of the issue
- Steps to reproduce
- Impact assessment
- Suggested remediation (if available)
Use the repository contact channel/profile for private disclosure.
Security reports are especially relevant for:
- File handling and path traversal
- Unexpected code execution vectors
- Dependency-related vulnerabilities
- Initial response: within 7 days
- Triage decision: within 14 days