Do not open public issues for potential vulnerabilities.

Send a private report with:

• affected version or commit
• impact assessment
• reproduction steps or proof of concept
• any suggested mitigation

Use one of these channels:

• GitHub Security Advisories (preferred)
• private maintainer contact if advisory tooling is unavailable

Preferred advisory URL:

• https://github.com/yuan-cloud/vifei-suite/security/advisories/new

High-priority security areas for this project:

• secret redaction and export refusal paths
• deterministic artifact integrity and hash validation
• share-safe export boundaries
• credential/token leakage through logs or artifacts

• Initial acknowledgement target: 72 hours
• Triage and severity assignment after reproduction
• Fix timeline depends on severity and release risk

Please allow time for a fix before public disclosure. Coordinated disclosure is preferred.