Skip to main content
Report vulnerabilities through the repository security policy in SECURITY.md. Do not publish:
  • Private audit notes.
  • Exploit details before remediation.
  • Customer data.
  • Real secrets, tokens, webhook signatures, or provider keys.
Public security docs should explain supported configuration and safe operational behavior without exposing active vulnerabilities or private incident details.