While XYZ's security footprint isn't very large, we do take it seriously. If you find there are any vulnerable library versions or holes in our configuration checks that could impact a user's system or servers, please let us know.

Email one of our maintainers directly using contact information found in their profiles. Prioritize Andrew DeChristopher me@dchr.host. For non-critical issues, please just open an issue or a PR with a fix and we'll be right on it.