Please do not open public GitHub issues for unpatched security vulnerabilities.

Use one of the following channels:

• GitHub Security Advisories (preferred): open a private report in this repository
• If private reporting is unavailable, contact project maintainers directly and include:
  • clear reproduction steps
  • impacted version/commit
  • proof of impact
  • suggested remediation (if available)

This policy covers:

• the website source code
• build/deploy workflows
• dataset ingestion and rendering paths

• Initial triage acknowledgment target: within 5 business days
• Valid reports receive status updates as remediation progresses
• Public disclosure should occur only after a fix or coordinated mitigation is available

Good-faith security research and responsible disclosure are welcome.