Please report suspected vulnerabilities privately to the repository maintainers. Do not open a public issue containing exploit details, secrets, private API payloads, or credentials.

Never commit API keys, Telegram tokens, webhook URLs, SSH credentials, or private user data. Use environment variables or local ignored env files.

Until a public release process is established, security fixes are handled on the main development branch.