Do not open public issues for undisclosed vulnerabilities.
Report security issues privately to the maintainer with:
- affected module or surface
- reproduction steps
- impact assessment
- any suggested mitigation
Relevant reports include:
- auth or session bypass
- CSRF, host validation or request parsing flaws
- secrets leakage
- unsafe file, media or storage handling
- unsafe admin or tracing exposure
After a fix is available, documentation and release notes should describe the impact and any required operator action.