Report vulnerabilities privately via GitHub Security Advisories (the "Report a vulnerability" button on the Security tab). Do NOT open a public issue.

Include a description, steps to reproduce, and potential impact.

For details on credential storage, key management, and the threat model, see [Security](../docs/5. security.md).