Report suspected vulnerabilities privately to the repository owner through an appropriate private GitHub contact channel. Do not open a public issue containing exploit details, credentials, tokens or private data.

Include:

• affected component;
• reproducible steps without secrets;
• expected and observed behavior;
• potential impact;
• proposed mitigation, when available.

Do not submit:

• ANA identifier, CPF or CNPJ;
• passwords;
• authentication tokens;
• authorization headers;
• .Renviron files;
• token caches;
• raw private logs;
• private user-uploaded data.

Security corrections are applied to the current public release branch. Historical snapshots and local pipeline workspaces are not supported deployments.