- Do not open public issues for sensitive vulnerabilities.
- Report with:
- affected component/file
- reproduction steps
- impact
- suggested mitigation (if available)
- Initial acknowledgment: as soon as possible.
- Triage and severity classification.
- Patch plan and release communication when validated.
Priority areas:
- Authentication and token handling.
- WebSocket authorization/origin checks.
- Voice token issuance and permissions.
- Data exposure/PII in telemetry.