Security fixes are handled for the current main branch and the latest released version.

Do not report security vulnerabilities in public issues.

If the repository is hosted on GitHub, use GitHub private vulnerability reporting when available. Otherwise, contact a maintainer through a private channel and include:

• a clear description of the issue
• steps to reproduce
• potential impact
• affected files or versions
• any safe proof of concept

Please avoid including real user data, stream data, cookies, tokens, or moderator credentials.

Relevant issues include:

• unintended real moderation actions
• storage leaks or exposure of trusted users/history
• DOM selector behavior that can trigger unsafe actions
• extension permission expansion
• bypasses that materially affect moderation behavior

General moderation accuracy issues and false positives should usually be reported as bugs unless they create a security or safety risk.