Use GitHub private vulnerability reporting when available. If it is not available, open an Issue containing only a short, sanitized description and ask for a private contact channel.
Never include:
- API keys, tokens, passwords, cookies, or OAuth material
- complete environment snapshots
- private repository paths or customer identifiers
- raw authentication files
- logs that contain request headers or credentials
Include the affected version, operating system, finding ID, safe reproduction steps, and whether the impact is observed, inferred, or confirmed.
Security fixes are applied to the latest release on main while the project is in its initial alpha phase.
The auditor is designed not to collect or emit secret values. A regression that causes a secret value to appear in text or JSON output is considered a high-severity vulnerability.