Security fixes are applied to the latest stable release branch.

Please do not disclose vulnerabilities publicly before a fix is available.

1. Open a private security report if available on the repository host.
2. If private reporting is not available, contact maintainers directly.
3. Include reproduction steps, impact, and affected version.

1. Initial acknowledgement: within 72 hours.
2. Triage and severity assessment: as soon as possible.
3. Fix and disclosure timeline: depends on severity and exploitability.

When reporting, include whether the issue affects:

1. Credential handling and secret exposure.
2. Outreach safety defaults or anti-abuse behavior.
3. Dependency or supply-chain risks.
4. Data persistence in logs/database/exports.