Security fixes are applied to the latest main branch.
Please do not report security vulnerabilities in public issues.
Preferred channels:
- GitHub Security Advisories (private report in this repository).
- If unavailable, open a minimal private contact request and we will provide a secure channel.
When reporting, include:
- Affected component and endpoint/file.
- Reproduction steps.
- Impact and severity estimate.
- Suggested mitigation (if available).
- This project is defensive by design.
- Vulnerability reports that require unauthorized targeting are out of scope.
- Reports should focus on misuse risk, data exposure, auth bypass, RCE, SSRF, path traversal, and unsafe defaults.
- Initial triage: within 5 business days.
- Status updates: as fixes progress.
- Coordinated disclosure after patch availability.