Preferred: open a private GitHub Security Advisory if available, or create an issue using the security template or label. If you need a private reply, open a private GitHub Security Advisory when possible. Otherwise include your GitHub handle in the report and I will reply on GitHub. Note that this is a personal account and I may not be able to review every report.

If you use the security issue template it will collect the key details. Otherwise please include the affected commit or version, clear reproduction steps, and a short impact summary. Logs or a minimal proof of concept are helpful but optional.

I may acknowledge reports when I can. Do not rely on a response. I prefer coordinated disclosure. If you plan to publish details please give reasonable time to address the issue.