Please do NOT open a public GitHub issue for security vulnerabilities.

Report vulnerabilities privately via GitHub's security advisory system:

➡️ Open a private security advisory

• Description of the vulnerability
• Steps to reproduce
• Affected component and versions
• Potential impact
• Suggested fix or mitigation (optional)

We will respond as soon as possible. We aim to:

• Acknowledge the report promptly
• Keep you informed of investigation progress
• Coordinate disclosure timing with you before any public announcement

We follow coordinated disclosure. We ask that you:

1. Give us reasonable time to investigate and fix the issue before public disclosure.
2. Avoid exploiting the vulnerability beyond what is needed to demonstrate it.
3. Avoid accessing or modifying data that does not belong to you.

We will credit you in the advisory unless you prefer to remain anonymous.