Report security issues privately to the maintainers before public disclosure.

Do not post exploit details, private proof harnesses, credentials, or unreleased report bodies in public issues, pull requests, comments, or ledger fields.

Accepted private security work can receive MRWK with a redacted public proof that records the bounty, recipient account, amount, verifier result, and ledger hash without publishing sensitive details.