If you discover a security issue, do not file a public issue.

• Prefer a private GitHub security advisory in the affected repository when that option is available.
• If private reporting is not enabled yet, contact the repository owners or organization owners directly and include:
  • affected repository and branch
  • reproduction steps
  • expected impact
  • any known mitigations

• We aim to acknowledge reports within 3 business days.
• We may ask for a proof of concept, logs, or a minimal reproduction.
• Please avoid sharing exploit details broadly until the fix or mitigation is in place.