Please do not report unpatched vulnerabilities through public GitHub issues.
Preferred: use GitHub private vulnerability reporting for this repository:
If private reporting is unavailable, open a public issue that only asks for a secure disclosure channel. Do not include exploit details, secrets, personal data, or unreleased vulnerability information in a public issue.
When reporting, include:
- affected branch, tag, or commit
- reproduction steps
- impact assessment
- proof-of-concept input or sanitized logs when needed for safe reproduction
- acknowledgement target: within 7 days
- triage or status update target: within 30 days when a fix is feasible
- coordinated disclosure preferred after a fix or mitigation is available
Do not send production credentials, private keys, customer data, or copyrighted third-party source documents in reports. Use synthetic fixtures and sanitized evidence whenever possible.