Please do not report security vulnerabilities in public issues.

Use GitHub Security Advisories for private disclosure:

1. Open the repository Security tab.
2. Select "Report a vulnerability".
3. Include reproducible details, affected commands/endpoints, and impact.

If private reporting is temporarily unavailable, open a minimal public issue requesting a maintainer security contact channel without sharing exploit details.

• Initial acknowledgement: within 72 hours.
• Triage update: within 7 days.
• Fix timeline: based on severity, with coordinated disclosure once a patch or mitigation is available.

Pluro follows coordinated disclosure.

• Reporters are credited in release notes when requested.
• Public details are shared after remediation guidance is available.