Do not file a public issue for security vulnerabilities.

Please report vulnerabilities through GitHub Security Advisories. This allows us to assess and address the issue privately before any public disclosure.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: within 48 hours
• Assessment: within 7 days
• Fix target: within 90 days, depending on severity

We will coordinate disclosure timing with you and credit you in the fix (unless you prefer otherwise).