Email [email protected] with subject prefix [SECURITY].

Include:

• MFC version
• Platform (OS, Python version, deployment target)
• Vulnerability category
• Steps to reproduce
• Proof of concept, if available

We aim to acknowledge receipt within 48 hours and provide an initial assessment within 7 days. Please do not open public GitHub issues for security vulnerabilities.

We follow a 90-day disclosure timeline by default. We work with reporters to coordinate public disclosure on a timeline that accounts for severity, mitigation availability, and downstream user impact.