CommonPHP packages are designed to be small, focused libraries. Security-sensitive behavior should be handled deliberately by the package responsible for that concern.

If you find a security issue, do not open a public issue with exploit details. Contact the maintainers through the project's private disclosure channel once one is published.

Until a dedicated channel exists, report only minimal public information and avoid publishing proof-of-concept exploit code.

Please give maintainers reasonable time to investigate and prepare a fix before disclosing details publicly. Security fixes should include tests when practical.