Do not report suspected vulnerabilities in public issues.
Use GitHub private vulnerability reporting when available. If it is unavailable for the affected repository, contact the repository owner through GitHub profile contact channels before sharing technical details.
Security fixes are released forward on the latest maintained release line. Published tags and release assets are not rewritten.
In scope:
- vulnerabilities in source code, release artifacts, GitHub Actions workflows, CI/CD configuration, or packaged tooling
- secret exposure in logs, reports, diagnostics, or generated artifacts
- unsafe path handling, command execution, sandbox escape, or trust-boundary bypass
- integrity issues in build, release, SBOM, provenance, or checksums
Out of scope:
- intentionally vulnerable fixtures, examples, or tests
- dependency vulnerabilities without a reachable exploit path in the project
- third-party service outages
- social engineering, phishing, or physical attacks
- requests to mutate historical tags or release assets
Provide a minimal reproducible proof of concept, affected version or commit, impact analysis, and remediation suggestion when possible.