Please report vulnerabilities privately to: exceptionregret@gmail.com (replace with your maintainer contact).

Include:

• affected version/commit
• reproduction steps
• impact assessment
• any proposed mitigations

This includes:

• API auth/RBAC bypasses
• SSRF bypasses
• artifact authorization issues
• credential/secret leakage
• remote code execution vectors in recipe/plugin loading

• Initial response: 3 business days
• Triage decision: 7 business days
• Coordinated disclosure after fix validation

Do not open public issues for active vulnerabilities.