Please do not open a public GitHub issue for suspected security vulnerabilities.

Use GitHub private vulnerability reporting for this repository when available. If private reporting is not available at the time of disclosure, contact the maintainers through private repository-owner channels and include:

• a clear description of the issue,
• the affected version or commit,
• reproduction steps or proof of concept,
• impact assessment,
• any proposed mitigation.

The project aims to:

• acknowledge a credible report within 5 business days,
• reproduce and assess severity as quickly as practical,
• prepare a fix or mitigation before public disclosure when possible,
• credit reporters who want attribution after the issue is resolved.

This policy covers:

• source code in this repository,
• default deployment artifacts published with the repository,
• documented public API surfaces and operational endpoints.

Out of scope unless explicitly tied to this repository:

• third-party hosted infrastructure not operated from this codebase,
• speculative reports without a reproducible impact path,
• issues that depend on compromised credentials or local administrator access without an additional vulnerability.

If you act in good faith, avoid data destruction, avoid privacy violations, and do not disrupt service availability, the project will treat your research as authorized for the purpose of coordinated disclosure.