Please do not open public issues for undisclosed vulnerabilities.

Report security findings to maintainers through a private channel and include:

• affected module/file
• impact and exploitability
• reproduction steps or proof of concept
• suggested remediation

• We acknowledge reports as quickly as possible.
• We validate impact before public disclosure.
• We coordinate remediation and release notes with reporters when appropriate.