Please report security vulnerabilities through GitHub Security Advisories. Do not open a public issue.

The following are in scope:

• Webhook authentication bypass
• Server-Side Request Forgery (SSRF)
• Cross-Site Scripting (XSS)
• Information disclosure

• Acknowledgement within 48 hours
• Fix or mitigation within a reasonable timeframe depending on severity
• Credit in the changelog unless you prefer to remain anonymous