Do not report vulnerabilities in public issues, pull requests, discussions, or logs.
Use GitHub private vulnerability reporting when available. Otherwise, email
OgeonX@gmail.com with:
- affected repository, branch, version, or commit;
- impact and realistic attack scenario;
- minimal reproduction steps or proof of concept;
- suggested mitigation, if known.
Do not include active credentials, personal data, or unrelated private material.
Security issues are especially relevant for:
- browser-extension or local-bridge privilege boundaries;
- unsafe logging, secret exposure, or token handling;
- workflow permissions and dependency-chain weaknesses;
- arbitrary code execution or unsafe local automation behavior.
Good-faith research that avoids privacy violations, persistence, destructive changes, and service degradation will be treated as authorized within this policy's scope.