Thank you for helping keep this project and its users safe. We take security issues seriously and appreciate responsible disclosure.

We generally support the latest release series and the main branch. Security fixes may be backported at the maintainers' discretion when feasible.

• Please do not open public GitHub issues for security reports.
• Email [email protected] with details.

When reporting, include as much information as possible:

• Affected version(s) and environment
• Steps to reproduce, proof-of-concept, or exploit scenario
• Impact assessment and potential severity
• Any suggested mitigations or workarounds

We consider research conducted under this policy to be authorized. If you follow this policy:

• We will not pursue legal action
• We will not request law enforcement investigations

Please:

• Avoid privacy violations, data exfiltration, or service disruption
• Do not access more data than necessary to demonstrate the vulnerability
• Do not perform actions that could harm users or infrastructure

• Reports from automated scanners without an exploitable impact
• Missing security headers that do not lead to a concrete vulnerability
• Clickjacking on pages without sensitive actions
• Use of known-vulnerable dependencies without a proven exploit path in this project

We prefer coordinated disclosure. Please contact us first and give us reasonable time to investigate and address the issue before any public disclosure.