Please do not open public GitHub issues for security vulnerabilities.

Instead, report vulnerabilities privately through one of these options:

• GitHub private vulnerability reporting (if enabled on the repository), or
• contact the maintainers directly with details and reproduction steps.

Include:

• affected component(s)
• clear reproduction steps or proof of concept
• impact assessment
• suggested mitigation (if known)

• Initial acknowledgment: within 72 hours
• Triage and severity assessment: within 7 days
• Fix timeline: based on severity and complexity

This policy applies to the code and configuration in this repository.