1. Prefer GitHub private vulnerability reporting (Security tab -> Report a vulnerability).
2. If private reporting is unavailable, open a limited GitHub issue requesting a secure contact channel without posting exploit details.
3. Include:
   • affected commit/tag/version
   • impact summary
   • reproduction steps or proof-of-concept
   • suggested mitigation (if available)

Do not post full exploit details publicly before remediation is coordinated.

• Acknowledgement: within 3 business days.
• Initial triage outcome: within 7 business days.
• Remediation timeline: based on severity and release risk.

• Please allow time for triage, patch development, and release rollout before public disclosure.
• We will coordinate disclosure timing and advisories after a fix is available or compensating controls are documented.

• Maintainer workflow reference: docs/SECURITY_RELEASE_WORKFLOW.md