Please report vulnerabilities privately so we can fix them before public disclosure.

• Preferred: open a private security advisory in the repository (GitHub → Security → Advisories).
• Alternative: email the maintainers at [replace-with-security-email].

We aim to acknowledge reports within 5 business days and fix valid issues as soon as practical.

• Avoid including sensitive data (tokens, secrets) in issues or PRs.