Report security vulnerabilities by opening a GitHub Issue on this repository with the security label. Please do NOT open a public issue for critical vulnerabilities — use the private vulnerability reporting feature if available, or email the maintainers directly.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if known)

• 48 hours: Acknowledgment of receipt
• 7 days: Initial assessment and remediation plan
• 90 days: Public disclosure after fix (standard coordinated disclosure)

We appreciate responsible disclosure and will acknowledge contributions in release notes unless anonymity is requested.