Security fixes are handled for the default branch unless maintainers document a separate release branch.

Please report suspected vulnerabilities privately instead of opening a public issue.

Include as much of the following as possible:

• affected route, component, API, or dependency,
• clear reproduction steps,
• expected and actual behavior,
• potential impact,
• relevant logs or screenshots with secrets and personal data removed.

Maintainers should acknowledge valid reports, investigate the issue, and coordinate a fix before public disclosure.

Do not:

• access, modify, or delete other users' data,
• test against accounts or systems you do not own,
• publish exploit details before maintainers have had time to respond,
• include real secrets, tokens, private keys, or personal data in a report.

Security researchers are encouraged to use safe proof-of-concept inputs and to stop testing once impact is demonstrated.