Please report security issues privately to tomfordweb@gmail.com.

Do not open a public issue for anything that could be exploited (for example, command injection through the bd wrapper or handling of untrusted issue data).

I'll acknowledge your report within 7 days and aim to ship a fix or mitigation as quickly as the severity warrants. Coordinated disclosure is appreciated — please give me a reasonable window to release a fix before going public.

beads.nvim is pre-1.0. Only the latest release receives security fixes.