Security reports are especially useful for:

• arbitrary file read or write behavior
• unsafe module loading behavior
• environment variable exposure
• HTTP request handling vulnerabilities

Please do not post exploit details in a public issue.

If the repository hosting platform provides a private reporting channel, use it first. If no private channel is available, open a minimal issue asking maintainers for a secure contact method and omit sensitive details.

When possible, include:

• affected version or commit
• impact summary
• reproduction steps
• proof of concept or logs
• suggested mitigation if known

Maintainers should acknowledge a report, reproduce the issue, assess severity, and coordinate a fix before public disclosure when practical.