Do not report security vulnerabilities through public GitHub Issues.

Email security@raintree.technology with:

• Affected repository and version
• Description and steps to reproduce
• Potential impact and any suggested mitigations

• Acknowledgment: within 48 hours
• Initial assessment: within 5 business days
• Resolution: prioritized by severity

We follow responsible disclosure. We will patch, publish a GitHub security advisory, and credit the reporter (unless they prefer anonymity). Please do not disclose publicly until a fix is released.