Please do not open public GitHub issues for security reports.

Use GitHub Security Advisories for private disclosure.

Include:

• A description of the issue and its impact.
• Reproduction steps.
• Affected versions, if known.

We acknowledge reports within 72 hours. We aim to provide a fix or remediation plan within 14 days for confirmed issues, depending on severity.

The validator CLI, GitHub Action, IDE extension, worker, and website surfaces are all in scope. Third-party dependencies should be reported to their respective maintainers.