Security reports are welcome for vulnerabilities in the published package, plugin runtime behavior, configuration handling, and operator-facing tooling in this repository.
Please avoid posting full exploit details publicly at first.
If GitHub private security reporting is available for the repository, use that channel. Otherwise, open a minimally disclosing issue requesting a private contact path.
Include:
- affected version or commit
- impact summary
- reproduction details
- any suggested mitigation
This project is maintained on a best-effort basis, but valid reports will be reviewed as quickly as practical.
- vulnerabilities in third-party services outside this repository
- issues that require unsafe local configuration the project does not recommend
- general support requests without a concrete security impact