Please do not report security vulnerabilities through public GitHub issues, discussions, or other public channels.

Instead, please disclose them responsibly by contacting our security team at:
📧 [email protected]

• Detailed description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Suggested fixes or mitigations (if known)

• Acknowledgement within 48 hours
• Initial assessment within 5 business days
• Regular updates on remediation progress
• Public disclosure timeline coordinated with reporter

Critical security patches are released as soon as they're available. All security-related updates will be marked with [SECURITY] in release notes.

While we don't currently have a formal bug bounty program, we gratefully acknowledge responsible disclosures by:

• Listing contributors in our Security Hall of Fame
• Providing written recommendations (upon request)
• Public thank-you in release notes (with permission)

Note: This policy may be updated periodically. Last revised: {05 2025}