If you discover a security vulnerability, please report it responsibly:

1. Do not open a public issue
2. Use GitHub Security Advisories to report privately
3. Include steps to reproduce, if possible
4. You can expect an initial response within 48 hours