If you discover a security issue, do not open a public issue.
Please report privately to:
Include:
- impacted component/file
- reproduction steps
- potential impact
- suggested remediation (if available)
We will acknowledge receipt within 72 hours and provide status updates until resolution.
Security-relevant areas include:
- secrets handling (
.env, API keys) - external data fetching and parsing
- dependency vulnerabilities
- unsafe output handling in downstream dashboards