Security Policy Report vulnerabilities via Security → Advisories (private draft). No PII, API keys, or secrets in repo. All third-party links reviewed before merging.