If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue
2. Open a GitHub Security Advisory on this repo
3. Or contact the maintainer directly

• Acknowledgment: Within 72 hours of report
• Assessment: Within 7 days with initial assessment

Only the latest version receives security updates.

• OAuth tokens are stored client-side only and never committed to the repository
• API keys should be configured via environment variables, not hardcoded
• The .env file is gitignored to prevent accidental credential exposure