Do not open public issues for suspected vulnerabilities.

Instead, report privately to project maintainers with:

• Affected version(s)
• Reproduction steps / proof of concept
• Impact assessment
• Suggested mitigation (if available)

If private reporting infrastructure is not yet configured, use repository owner contact and mark the message as a security disclosure.

• Acknowledgement: within 3 business days
• Initial triage: within 7 business days
• Fix timeline: depends on severity and release constraints

• API keys must stay server-side.
• Never expose provider credentials to browser clients.
• Validate and bound user-submitted text before provider calls.
• Log safely; do not store sensitive source text unless explicitly required.