If you discover a security vulnerability, do not create a public GitHub issue or discussion.

Instead, report it privately using this repository�s GitHub private vulnerability reporting tool.

When reporting, include as much detail as possible to help us triage effectively:

• A description of the vulnerability and its context
• Clear reproduction steps (if applicable)
• Relevant logs, configs, or code snippets
• Your assessment of potential impact or severity

We aim to respond within 2 business days, and will work with you to assess and resolve the issue promptly. If a fix requires more time, we�ll provide regular status updates until it�s resolved.

Once a vulnerability is confirmed and fixed:

• We may publish a GitHub Security Advisory
• You will be credited as the reporter (unless you request anonymity)
• A patch release and changelog update will follow

We follow Coordinated Vulnerability Disclosure best practices; working privately with reporters to verify, fix, and only publicly disclose security issues once a safe resolution is in place.

For your safety when using this project:

• Use the latest release
• Keep dependencies updated
• Avoid exposing secrets or internal APIs
• Apply least-privilege principles when integrating or deploying