Report vulnerabilities to active maintainers with reproducible steps and clear impact assessment. We will create a GitHub security advisory to coordinate disclosure and may invite you to collaborate.

We support safe harbor for security researchers who:

• Avoid privacy violations, data destruction, and service degradation
• Only access accounts they own or have explicit permission to test
• Report any PII encountered immediately and purge local copies
• Allow reasonable time to resolve issues before public disclosure

We will not pursue legal action for research conducted under this policy and will assist if a third party does. Submit a report before engaging in conduct not covered here.