Security fixes are applied to the latest code on the default branch.

Do not open public issues for security vulnerabilities.

Use a private report and include:

• Impact summary.
• Steps to reproduce.
• Affected files or components.
• Proof-of-concept details when safe to share.
• Suggested mitigation (optional).

• Preferred: GitHub private vulnerability reporting (Security Advisories).
• Alternate: private maintainer contact if advisory flow is unavailable.

• Acknowledge report within 7 days.
• Initial triage within 14 days.
• Fix timeline based on severity, exploitability, and complexity.

In scope:

• This repository's application code and shipped artifacts.

Out of scope:

• General support requests.
• External outages or third-party platform incidents outside this codebase.

• Coordinate disclosure privately until a fix is available.
• Avoid publishing exploit details before maintainers complete triage.
• Reporter credit can be provided after resolution unless anonymity is requested.