We take security seriously. If you discover a security vulnerability, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please use GitHub Security Advisories to report vulnerabilities privately.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: within 48 hours of report
• Initial assessment: within 5 business days
• Fix target: patch release within 30 days for confirmed vulnerabilities

• Authentication bypass or token leakage
• Command injection
• Path traversal
• Sensitive data exposure
• Dependency vulnerabilities with exploitable impact

• Denial of service attacks
• Social engineering
• Issues in dependencies without a demonstrated exploit path
• Issues requiring physical access to the user's machine

We follow coordinated disclosure. We will work with you to understand and address the issue before any public disclosure.