Please do not open public issues for security vulnerabilities.

Instead, report privately by contacting the maintainers with:

• A clear description of the issue
• Reproduction steps or proof of concept
• Impact assessment (what could be accessed/modified)
• Suggested remediation if available

If you do not have a private contact channel yet, open a minimal public issue asking for a private disclosure path without sharing exploit details.

Maintainers aim to:

• Acknowledge receipt within 72 hours
• Provide an initial severity and triage response within 7 days
• Work on a fix and coordinate disclosure timing where appropriate

Security issues include, but are not limited to:

• Authentication/authorization bypass
• Data exposure or insecure direct object access
• Credential/token leakage
• Injection vulnerabilities
• Realtime event abuse that breaks room isolation or member privacy

Good-faith research and responsible disclosure are appreciated. Please avoid privacy violations, service disruption, and destructive testing against production systems.