ThunderOS is currently maintained on the default branch and the latest release line.

Use GitHub private vulnerability reporting for ThunderOS.

1. Open the repository security page.
2. Choose Report a vulnerability.
3. Include the affected commit, subsystem, reproduction steps, and impact.
4. Do not open a public issue for security-sensitive bugs.

If the bug is not security-sensitive, use the normal issue tracker instead.

• An acknowledgment within 5 business days.
• A follow-up status update after triage.
• Coordinated disclosure after a fix is available.

Reports that include a clear reproduction path, affected configuration, and expected impact are much easier to triage quickly.