Do not open a public issue for a suspected vulnerability.
Report vulnerabilities privately through a GitHub security advisory. Include the affected version or commit, reproduction steps, impact, and any suggested mitigation when available.
Do not include live credentials, tunnel identifiers, API keys, or private message content. Use minimal synthetic data when demonstrating a vulnerability.