GitHub private vulnerability reporting is the canonical path for this repository.

If you discover a security issue, report it there first. Do not open a public issue or pull request for security-sensitive findings.

• accidental secret leakage
• credentials, tokens, or private keys
• unsafe examples that expose real infrastructure
• private operational URLs or internal-only file paths
• sensitive logs, rendered config output, or other secret-bearing artifacts
• a vulnerability that could materially affect users or maintainers

Public issues and pull requests are not appropriate for:

• secret exposure
• credential leaks
• infrastructure-sensitive disclosures
• unredacted logs or config output
• exploit details before maintainers have had time to assess the report

All contributed material must be:

• sanitized
• generalized where needed
• free of secrets
• safe for public reuse