# Security Policy

Do not report sensitive vulnerabilities through public issues.

Use the repository security advisory workflow or a private maintainer contact channel when this repository is published.

When reporting, include:

- affected component
- impact summary
- reproduction steps
- configuration assumptions
- any suggested mitigation or patch direction