Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability, please report it privately:
Email: [[email protected]]
You should receive a response within 48 hours. If not, please follow up to ensure we received your report.
Please provide:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Affected versions (if applicable)
- Suggested fix (if you have one)
- Any supporting materials (proof-of-concept, screenshots, etc.)
We'll acknowledge your report within 48 hours.
We'll investigate and validate the issue within 7 days.
We'll develop and test a fix.
We'll coordinate disclosure timing with you.
We'll release the security update.
We'll acknowledge your contribution (unless you prefer anonymity).
When contributing to this repository:
- ❌ Never commit credentials, API keys, or secrets
- ✅ Use environment variables for sensitive configuration
- ✅ Keep dependencies up to date
- ✅ Run security tests before submitting pull requests
- ✅ Review the
.gitignoreto ensure sensitive files are excluded
This repository uses:
- Dependabot - Automated dependency vulnerability alerts and updates
- GitHub Code Scanning - Automated security analysis
- Secret Scanning - Prevents credential leaks
- Branch Protection - Prevents direct commits to main
If you have questions about this security policy, please open a discussion or contact the maintainers.
Last Updated: November 2025