Do not open a public issue.

Report privately via GitHub Security Advisories: 👉 https://github.com/tyloo/atc/security/advisories/new

You'll get an acknowledgement within 72 hours and a status update at least every 7 days until the issue is resolved or declined. Please include reproduction steps and an estimate of impact (CVSS welcome but not required).

We follow coordinated disclosure: a CVE will be requested and a patched release published before details are made public.