Please report suspected vulnerabilities privately and do not open public issues for security findings.

• Contact: repository maintainers via private channel (email/security contact configured for this repository).
• Include:
  • affected component and version/commit
  • clear reproduction steps or proof of concept
  • impact assessment and suggested mitigation (if known)

1. We acknowledge receipt.
2. We triage and validate the report.
3. We define severity, impacted versions, and remediation plan.
4. We prepare and test a fix.
5. We coordinate disclosure timing with the reporter.
6. We publish a security advisory/changelog note once remediation is available.

The policy applies to all repository assets, including:

• source code and scripts
• infrastructure and compose configuration
• docs/examples when they can cause security impact

We support good-faith security research. Do not exfiltrate data, disrupt services, or violate legal boundaries while testing.