Please do not report security vulnerabilities in public issues.

Instead, report privately via the project's security contact email.

Please include:

• Affected version/commit
• Reproduction steps or proof of concept
• Impact assessment
• Suggested fix (if available)

• Initial response target: within 3 business days
• Status update target: within 7 business days