Please do not report security vulnerabilities through public GitHub issues.

Report them privately by opening a GitHub Security Advisory in this repository.

Include as much of the following information as possible:

• Type of vulnerability (e.g. buffer overflow, SQL injection, cross-site scripting)
• Full paths of source files related to the vulnerability
• Location of the affected source code (tag, branch, commit, or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the vulnerability and how an attacker might exploit it

We will acknowledge your report within 48 hours and aim to release a patch within 14 days for critical issues. You will be credited in the release notes unless you prefer to remain anonymous.

Once a fix is ready and deployed, we will:

1. Publish a GitHub Security Advisory with full details
2. Credit the reporter (unless they opt out)
3. Tag a new release with the fix

We ask that you give us reasonable time to patch before any public disclosure.