Security reports are accepted for actively maintained public repositories in the starhaven-io organization. Archived repositories and experimental branches are handled on a best-effort basis.

Please do not report suspected vulnerabilities in public issues or discussions.

Use GitHub's private vulnerability reporting flow from the affected repository's Security tab: Security -> Report a vulnerability. If that flow is not available for the affected repository, open a minimal public issue asking for a private disclosure channel and do not include exploit details.

Useful reports include:

• The affected repository, version, tag, or commit.
• A concise description of the impact.
• Reproduction steps or proof-of-concept details.
• Whether the issue is already public or under embargo.

Reports are acknowledged as quickly as practical. Fixes and disclosure timing are coordinated privately, then published through advisories, releases, or release notes when appropriate.