Report security issues privately to the maintainers before public disclosure.

Do not post exploit details, private proof harnesses, credentials, or unreleased report bodies in public issues, pull requests, comments, or ledger fields.

Accepted private security work can receive MRWK with a redacted public proof that records the bounty, recipient account, amount, verifier result, and ledger hash without publishing sensitive details.

For private security bounties, keep the payment status wording separate from the report content:

• A pending pay_bounty proposal means the security work was accepted for payout review, not paid.
• A security bounty is paid only after a public proof or ledger entry exists.
• Public comments should link the redacted proof and avoid vulnerability mechanics unless maintainers approve disclosure.