Security updates apply to the default branch of this repository as maintained by the project owners. Experimental or archived code may not receive fixes.
Please do not report security issues through public GitHub issues.
Use GitHub private vulnerability reporting for this repository if it is enabled in the repo’s Security tab. That keeps details private until a fix is ready.
In scope: Security defects in the code and configuration shipped in this repository (for example, injection, unsafe defaults that enable takeover of a component built from this repo, or credential handling bugs in sample code).
Typically out of scope: Third-party services, social engineering, physical security, denial-of-service against infrastructure you do not operate, or issues that require already-compromised credentials unless the repository’s code is the root cause.
This project does not run a public bug bounty program.