Do not open a public issue for security vulnerabilities.

Email contact@laboverwire.ca with:

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Impact assessment (if known)

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix or mitigation: depends on severity

We follow coordinated disclosure. Vulnerabilities will be disclosed publicly after a fix is available and users have had reasonable time to update.