If you discover a security issue in a recommended configuration — for example, a setting that inadvertently exposes data or weakens a tool's privacy posture — please report it privately.

Do not open a public GitHub issue for security vulnerabilities.

Instead, use GitHub's private vulnerability reporting to submit a report. If that is unavailable, open a draft issue marked [SECURITY] and include only a general description — no exploit details.

This policy covers:

• Config settings that behave differently than documented (e.g., a setting described as "off" that doesn't actually disable telemetry)
• Recommendations that could cause unintended data exposure
• Errors in vendor default documentation that lead to a false sense of privacy

This policy does not cover vulnerabilities in the tools themselves (VS Code, Cursor, Claude Code, etc.). Report those directly to the respective vendor.

Maintainers will acknowledge reports within 7 days and aim to publish a fix or advisory promptly.