Report via issue template "Security vulnerability" or email security@goldshore.org. No public disclosure until confirmed & fixed. Acknowledge within 24h when possible.