For security issues, use GitHub Security Advisories so reports remain private until triage is complete.

1. Open the repository Security tab.
2. Create a private vulnerability report.
3. Include impact, reproduction steps, and affected versions.

If Security Advisories are unavailable, contact maintainers through a private channel and avoid posting exploit details in public issues.

• Maintainers acknowledge reports within 3 business days.
• A remediation plan is provided after triage.
• Public disclosure happens after a fix is available or mitigations are documented.