If you discover a security vulnerability in Plain, please report it privately:

• GitHub: Report a vulnerability (private, preferred)
• Email: security@plainframework.com

Please do not file a public GitHub issue for security vulnerabilities.

• Acknowledgment within 48 hours
• An assessment and plan within 1 week
• We'll coordinate disclosure with you before any public announcement

Security fixes are applied to the latest release only.