Security fixes are applied to the default branch and latest deployed version.

Please do not open public issues for security vulnerabilities.

Instead, report privately with:

• Vulnerability summary
• Reproduction steps
• Impact assessment
• Suggested remediation (optional)

For a private channel, email dot.systems@proton.me with the subject line starting with [security]. We do not use the public issue tracker for undisclosed reports.

Security concerns include (but are not limited to):

• Authentication and authorization flaws
• Injection vulnerabilities
• Sensitive data exposure
• Supply chain/dependency risks
• Misconfigured deployment settings

After a fix is prepared and validated, maintainers may publish a coordinated disclosure note with remediation guidance.