Do not report security vulnerabilities through public GitHub issues.

Instead, please report them using GitHub Security Advisories.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

• Acknowledgment within 72 hours
• An initial assessment within 7 days
• Updates as the fix progresses
• Credit in the advisory (unless you prefer to remain anonymous)

This is an actively developed project. Only the latest state on main receives security fixes.

We ask that you:

• Give us a reasonable time to respond and fix the issue before public disclosure
• Do not access or modify other users' data
• Do not degrade service availability (no DDoS, no mass scraping)
• Act in good faith to protect users' privacy and safety

We will not take legal action against security researchers who follow responsible disclosure practices.