Please do NOT report security vulnerabilities through public GitHub issues.

Instead, use GitHub's private vulnerability reporting.

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial response: within 48 hours
• Confirmation: within 5 business days
• Resolution: depends on severity and complexity

We follow coordinated disclosure:

1. Reporter submits vulnerability privately
2. We confirm and assess severity
3. We develop and test a fix
4. We release the fix and publish a security advisory
5. Reporter may publish details after the fix is released