Do not report vulnerabilities by opening a public issue if the report includes secrets, exploit details, private infrastructure, or user-specific data.

For private reports, contact the repository owner directly through GitHub or use the repository security advisory flow if it is enabled.

Please include:

• affected version or commit
• operating system and shell
• reproduction steps
• expected behavior
• actual behavior
• impact assessment

Do not include tokens, private keys, local credentials, internal hostnames, or personal filesystem paths in issues, pull requests, commits, logs, screenshots, or test fixtures.