Do not open public issues for security reports.
Use GitHub private vulnerability reporting if it is enabled on the affected repository. If it is not available, contact the maintainers privately on GitHub and include:
- affected repository and version
- impact
- reproduction steps
- any suggested mitigation
Initial acknowledgement target: within 3 business days.