Please do not open public GitHub issues for suspected security problems.

Instead, contact the maintainer privately with:

• a short description of the issue
• impact
• reproduction steps
• any proof-of-concept details that help validate it safely

If you do not already have a private channel with the maintainer, open a minimal GitHub issue asking for a private contact path without disclosing the vulnerability details.

Security-sensitive areas include:

• authentication and session handling
• persisted cookies or account-linked local data
• download and file persistence flows
• build, signing, and release automation

• Give the maintainer reasonable time to validate and fix the issue before public disclosure
• Avoid publishing exploit details while a fix is in progress