Do not open public issues for security vulnerabilities.

Use GitHub's private security advisory feature to report vulnerabilities confidentially.

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

We aim to acknowledge reports within 48 hours and provide a timeline for resolution within 5 business days.

We follow coordinated disclosure. Once a fix is released, we'll publish a security advisory with credit to the reporter (unless they prefer to remain anonymous).