If you discover a security issue, do not open a public bug report first.

Preferred path:

• use GitHub Security Advisories for private reporting

If private reporting is not available, open a minimal issue without exploit details and request a private contact path.

Security-sensitive areas include:

• privileged helper execution
• PolicyKit integration
• driver installation and removal flows
• command execution paths
• package and metadata distribution integrity