Do not disclose vulnerabilities in a public issue. Use GitHub's Report a vulnerability option in the repository Security tab. If private vulnerability reporting is unavailable, contact the maintainers privately through the organization profile.
Include the affected version, impact, reproduction details, and any known mitigation.