Please report security vulnerabilities privately — don't open a public issue, pull request, or discussion for them.

Use GitHub's private vulnerability reporting: open the Security tab of the affected repository and click Report a vulnerability. That starts a private advisory thread visible only to the maintainers and you. It's enabled on every public repository in this organization.

Helpful things to include:

• the repository and the affected version or commit,
• what the issue is and its impact,
• steps to reproduce — a proof of concept if you have one,
• any suggested fix.

These are actively maintained but small projects. We aim to acknowledge a report within a few days, keep you posted as we look into it, and credit you in the advisory when a fix ships (unless you'd rather stay anonymous). Please give us a reasonable window to address the issue before disclosing it publicly.

This policy covers the source in this organization's repositories. A report against a specific deployed instance you don't operate should go to whoever runs it.