If you discover a security vulnerability, please report it via a private security advisory on GitHub.

Do not open a public issue for security vulnerabilities.

You should receive a response within 48 hours. If the vulnerability is confirmed, a fix will be released as soon as possible.

This policy covers the plugin code, MCP server, and NPM package in this repository. It does not cover third-party dependencies, though we will coordinate with upstream maintainers if a dependency vulnerability affects this project.