Please report suspected vulnerabilities privately through GitHub Security Advisories. Do not open a public issue for an unpatched vulnerability.
Include the affected URL or component, reproduction steps, expected impact, and any suggested mitigation. Reports will be acknowledged and assessed as soon as practical for this community-maintained project.
Security fixes are applied to the deployment built from the master branch. Older commits and
self-hosted copies are not maintained as separate security release lines.
The public website, HTTP API, build pipeline, and compatibility metadata processing are in scope. Reports about vulnerabilities in upstream projects referenced by the catalog should be sent to those projects instead.